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PROPOSED  RULE  ON  THE  PRIVACY  OF  INDI- 
VroUALLY  roENTIFIABLE  HEALTH  INFOR- 
MATION 


WEDNESDAY,  APRIL  26,  2000 

U.S.  Senate, 

Committee  on  Health,  Education,  Labor,  and  Pensions, 

Washington,  DC. 

The  committee  met,  pursuant  to  notice,  at  10:05  a.m.,  in  room 
SD-430,  Dirksen  Senate  Office  Building,  Senator  Jeffords  (chair- 
man of  the  committee)  presiding. 

Present:  Senators  Jeffords,  Kennedy,  Dodd,  Wellstone,  Murray, 
and  Reed. 

Opening  Statement  of  Senator  Jeffords 

The  Chairman.  The  hearing  will  come  to  order. 

Today  marks  the  Health  and  Education  Committee's  eighth  hear- 
ing on  one  of  the  most  pressing  issues  confronting  our  health  care 
system — ^the  confidentiality  of  health  care  information. 

As  most  of  you  know,  we  are  here  today  as  a  result  of  what 
seemed  like  a  small  provision  within  the  Health  Insurance  Port- 
ability and  Accountabihty  Act,  or  HIPAA.  The  HIPAA  provision 
states  that  should  Congress  not  enact  medical  records  privacy  leg- 
islation by  August  21,  1999,  the  Secretary  of  Health  and  Human 
Services  is  required  to  issue  regulations  on  privacy  standards  for 
individually  identifiable  health  information.  Fvirther,  these  regula- 
tions must  address  the  following:  the  rights  of  the  individual  who 
is  the  subject  of  the  information;  procedures  for  exercising  such 
rights;  and  the  authorized  and  required  uses  and  disclosures  of 
such  information. 

Last  year,  this  committee  worked  tirelessly  to  produce  bipartisan 
legislation  that  struck  the  appropriate  balance  between  providing 
protection  for  medical  information  while  also  allowing  for  necessary 
sharing  of  information  within  integrated  health  care  systems. 

In  working  closely  with  Senators  Dodd,  Frist,  Kennedy,  and 
other  members  of  the  committee,  we  were  able  to  make  tremendous 
progress  in  resolving  many  policy  differences.  Unfortunately,  some 
issues  remained  on  which  we  were  unable  to  reach  agreement. 
Since  we  were  unable  to  pass  comprehensive  medical  records  pri- 
vacy legislation,  the  Secretary  of  Health  and  Human  Services  now 
has  the  duty  to  produce  final  regulations  this  year  that  will  go  into 
effect  in  the  year  2002. 

Last  November,  when  the  Department  of  Health  and  Human 
Services  issued  their  proposed  rule  on  the  privacy  of  individually 
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identifiable  health  information,  I  asked  the  General  Accounting  Of- 
fice (GAO)  to  study  the  interim  regulatory  process  and  report  their 
findings  to  this  committee.  I  specifically  asked  them  to  look  at  the 
nature  of  the  comment  letters  that  Health  and  Human  Services  re- 
ceived, as  well  as  to  address  whether  the  administration's  proposed 
rule  is  consistent  with  the  statutory  authority  under  HIPAA. 

For  those  of  you  who  actually  read  the  600-plus  pages  of  the  pro- 
posed rule,  imagine  reading  the  52,000  comment  letters  that  fol- 
lowed the  publication  of  the  proposed  rule.  While  this  is  a  stagger- 
ing number,  I  am  told  that  about  45,000,  however,  were  form  let- 
ters containing  identical  information. 

The  GAO  testimony  presented  today  will  touch  upon  two 
themes — that  there  is  widespread  acknowledgment,  despite  the  or- 
ganizations* diverse  perspectives,  of  the  importance  of  protecting 
the  privacy  of  medical  records;  and  that  fundamental  differences 
among  the  groups*  positions  reflect  the  conflicts  that  sometimes 
arise  between  maintaining  privacy  protections  and  achieving  other 
important  social  goals. 

A  study  by  the  National  Research  Council  shows  that  the  path- 
way of  a  typical  medical  record  is  no  longer  confined  within  the 
control  of  the  patient's  personal  physician.  Today,  a  typical  record 
may  be  handled  by  numerous  individuals  in  more  than  17  different 
organizations.  Technology  has  provided  the  tools  to  allow  the  ease 
of  access  to  health  care  information.  Now,  enforceable  national  pro- 
tections are  needed  to  ensure  the  confidentiality  of  this  personal 
health  information. 

As  we  hear  from  all  of  our  expert  witnesses  today,  I  hope  to  gain 
a  better  understanding  regarding  the  appropriateness  of  the  pro- 
posed rule  on  the  privacy  of  individually  identifiable  health  infor- 
mation, as  well  as  whether  future  legislation  is  needed  to  fill  gaps 
that  perhaps  resulted  from  the  Secretary's  limited  authority  in 
issuing  the  regulation. 

The  hearing  will  follow  the  committee's  usual  format.  Each  of  the  _ 
witnesses  will  speak  for  5  minutes,  and  each  member  of  the  com- 
mittee will  have  up  to  5  minutes  per  round  for  questioning.  The 
hearing  record  will  remain  open  for  2  weeks,  and  any  written  state- 
ments and  questions  for  the  record  should  be  submitted  within  that 
time. 

That  said,  let  me  welcome  all  of  our  witnesses.  I  look  forward  to 
hearing  your  testimony  today  and  working  together  with  you  now 
and  in  the  future  to  reach  the  appropriate  results. 

I  am  pleased  to  introduce  our  witnesses  this  morning.  Testifying 
first  will  be  Dr.  Janet  Heinrich,  Associate  Director  for  Health  Fi- 
nancing and  Public  Health  Issues  at  the  U.S.  General  Accounting 
Office,  Washington,  DC.  Previously,  Dr.  Heinrich  was  director  of 
the  American  Academy  of  Nursing  and  also  served  as  Director  of 
Extramural  Programs,  National  Institute  of  Nursing  Research,  at 
the  National  Institutes  of  Health.  Her  professional  experience  en- 
compasses public  health  nursing  in  urban  and  rural  settings,  as 
well  as  public  policy  making  at  the  local,  State,  and  Federal  levels. 
In  addition  to  her  nursing  degree,  her  credentials  include  a  Master 
of  Public  Health  from  The  Johns  Hopkins  University  School  of  Hy- 
giene and  Public  Health  and  a  Doctorate  of  Public  Health  from  the 
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Yale  University  Department  of  Epidemiology  and  Public  Health  in 
the  School  of  Medicine. 

Dr.  Heinrich,  as  always,  it  is  a  pleasiu-e  to  have  you  with  us,  and 
we  look  forward  to  your  remarks. 

I  will  turn  first  to  our  ranking  member.  Senator  Kennedy,  for 
any  comments. 

Opening  Statement  of  Senator  Kennedy 

Senator  Kennedy.  Thank  you,  Mr.  Chairman.  I  have  just  a  brief 
comment. 

I  want  to  thank  you  for  calling  this  hearing  on  the  proposed  rules 
to  safeguard  the  confidentiality  of  medical  records.  This  issue  is 
critically  important  to  every  American  who  seeks  medical  care. 
Every  patient,  particularly  in  this  electronic  age,  must  be  able  to 
trust  that  personal  medical  information  will  not  be  improperly  dis- 
closed or  used  for  imauthorized  purposes. 

The  importance  of  this  trust  between  the  patient  and  the  doctor 
has  been  recognized  since  the  very  dawn  of  medicine.  Before  being 
entrusted  witn  the  heavy  responsibilities  of  providing  to  the  sick 
and  injured,  doctors  take  a  solemn  oath  based  upon  the  declara- 
tions and  principles  laid  down  by  the  Greek  physician,  Hippocrates, 
more  than  2,000  years  ago. 

Over  the  centuries,  these  principles  have  served  as  the  fovmda- 
tion  of  good  medical  practice,  and  as  we  consider  today  the  basic 
issue  of  privacy  of  medical  records,  we  would  do  well  to  remember 
the  Hippocratic  Oath:  "Whatever,  in  connection  with  my  profes- 
sional practice,  I  see  or  hear  which  ought  not  to  be  spoken  of 
abroad,  I  will  not  divulge,  coimting  such  things  to  be  sacred  se- 
crets." 

Unfortimately,  the  "sacred  secrets"  of  which  the  Hippocratic 
Oath  spoke  have  now  lost  much  of  their  sanctity.  In  this  era  of  in- 
stantaneous electronic  commimication,  medical  information  can  be 
sent  aroimd  the  world  at  the  touch  of  a  button,  and  vast  databases 
of  personal  medical  information  are  compiled  and  sold  to  the  high- 
est bidder.  Although  health  care  personnel  must  clearly  have  ac- 
cess to  medical  records  to  provide  nigh-quality  treatment  or  obtain 
pajrment  for  services,  the  absence  of  effective  privacy  protections 
often  allows  employers,  sales  agents,  and  even  neighbors  to  obtain 
improper  access  to  the  medical  information  that  all  of  us  would 
wish  to  protect. 

When  patients  fail  to  confide  in  their  doctors,  both  patients  and 
society  suffer,  and  patients  who  are  afraid  to  tell  their  doctor  about 
a  previously-diagnosed  condition  for  fear  of  seeing  that  information 
misused  may  receive  medications  that  are  ineffective  or  even  dan- 
gerous. 

And  patients  who  are  afraid  of  disclosiu-e  of  their  medical  condi- 
tion to  their  employer  or  their  coworkers  may  delay  seeking  treat- 
ment or  even  delay  taking  a  simple  diagnostic  test,  with  the  result 
that  a  previously  treatable  condition  becomes  incurable. 

We  must  all  work  together  to  restore  the  trust  in  the  confiden- 
tiality of  medical  practice  and  thus  dispel  the  fear  that  so  many  pa- 
tients feel  about  the  security  of  their  personal  medical  information. 

In  1996,  Senator  Kassebaum  and  I,  along  with  many  other  mem- 
bers of  our  committee,  worked  together  to  pass  the  Health  Insur- 
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ance  Portability  and  Accountability  Act.  This  legislation  called  on 
Congress  to  deal  with  the  pressing  issue  of  confidentiality  of  medi- 
cal records  by  enacting  comprehensive  legislation.  It  required  the 
Secretary  of  Health  and  Human  Services  to  formulate  regulations 
on  the  privacy  of  medical  records  if  Congress  declined  to  act. 

We  agreed  that  inaction  by  Congress  should  not  mean  no  action 
on  this  important  issue. 

To  fulfill  the  requirements  of  the  Act,  Secretary  Shalala  and  her 
staff  worked  effectively  to  establish  principles  to  safeguard  the  pri- 
vacy of  medical  records  while  still  allowing  the  use  of  medical  infor- 
mation which  is  necessary  for  effective  delivery  of  health  care.  Her 
task  was  a  challenging  one,  and  I  commend  the  Secretary  for  the 
thoroughness  of  her  work  in  addressing  the  many  complexities  of 
this  difficult  issue. 

I  look  forward  to  the  testimony  from  today's  witnesses,  particu- 
larly Janlori  Goldman,  whose  expert  advice  was  especially  valuable 
during  last  year's  deliberations  on  medical  privacy  in  this  commit- 
tee; and  Dr.  Greg  Koski,  from  the  Massachusetts  General  Hospital, 
who  serves  on  the  faculty  of  that  world-renowned  research  and  is 
well-known  for  his  leadership  in  preserving  the  privacy  of  medical 
records  for  patients  involved  in  medical  research. 

Again  I  thank  you,  Mr.  Chairman. 

[The  prepared  statement  of  Senator  Kennedy  follows:] 

Prepared  Statement  of  Senator  Kennedy 

Thank  you,  Mr.  Chairman,  for  calling  this  hearing  on  the  pro- 
posed rules  to  safeguard  the  confidentiality  of  medical  records.  This 
issue  is  critically  important  to  every  American  who  seeks  medical 
care.  Every  patient — ^particularly  in  this  electronic  age — ^must  be 
able  to  trust  that  personal  medical  information  will  not  be  improp- 
erly disclosed  or  used  for  unauthorized  purposes. 

The  importance  of  this  trust  between  patient  and  doctor  has  been 
recognized  since  the  very  dawn  of  medicine.  Before  being  entrusted 
with  the  heavy  responsibility  of  providing  care  to  the  sick  and  in- 
jured, doctors  take  a  solemn  oath  based  on  the  declaration  of  prin- 
ciples laid  down  by  the  Greek  physician,  Hippocrates,  more  than 
two  thousand  years  ago.  Over  the  centuries,  these  principles  have 
served  as  the  foundation  of  good  medical  practice.  As  we  consider 
today  the  basic  issue  of  privacy  of  medical  records,  we  would  do 
well  to  remember  the  words  of  the  Hippocratic  Oath: 

^Whatever,  in  connection  with  my  professional  practice  ...  I  see 
or  hear  .  .  .  which  ought  not  to  be  spoken  of  abroad,  I  will  not  di- 
vulge, counting  such  things  to  be  as  sacred  secrets.** 

Unfortunately,  the  "sacred  secrets"  of  which  Hippocrates  spoke 
have  now  lost  much  of  their  sanctity.  In  this  era  of  instantaneous 
electronic  communication,  medical  information  can  be  sent  around 
the  world  at  the  touch  of  a  button.  Vast  databases  of  personal  med- 
ical information  are  compiled  and  sold  to  the  highest  bidder.  Al- 
though health  care  personnel  must  clearly  have  access  to  medical 
records  to  provide  lugh-quality  treatment  and  obtain  payment  for 
services,  the  absence  of  effective  privacy  protections  often  allows 
employers,  sales  agents,  or  even  neighbors  to  obtain  improper  ac- 
cess to  the  medical  information  that  adl  of  us  would  wish  to  protect. 
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When  patients  fail  to  confide  in  their  doctors,  both  patients  and 
society  suffer.  Patients  who  are  afraid  to  tell  their  doctor  about  a 
previously  diagnosed  condition,  for  fear  of  seeing  that  information 
misused  may  receive  medications  that  are  ineffective  or  even  dan- 
gerous. Patients  who  are  afraid  of  disclosure  of  their  medical  condi- 
tion to  their  employer  or  their  coworkers  may  delay  seeking  treat- 
ment or  even  delay  taking  a  simple  diagnostic  test — with  the  result 
that  a  previously  treatable  condition  becomes  incurable. 

We  must  all  work  together  to  restore  the  trust  in  the  confiden- 
tiahty  of  medical  practice  and  thus  dispel  the  fear  that  so  many  pa- 
tients feel  about  the  security  of  their  personal  medical  information. 

In  1996,  Senator  Kassebaum  and  I — ^along  with  many  other 
members  of  our  conmiittee — worked  together  to  pass  the  Health  In- 
surance Portability  and  Accountability  Act.  This  legislation  called 
on  Congress  to  deal  with  the  pressing  issue  of  confidentiality  in 
medical  records  by  enacting  comprehensive  legislation.  It  also  re- 
quired the  Secretary  of  Health  and  Human  Services  to  formulate 
regulations  on  the  privacy  of  medical  records  if  Congress  declined 
to  act.  We  agreed  that  inaction  by  Congress  should  not  mean  no 
action  on  this  important  issue. 

To  fulfill  the  requirements  of  the  Act,  Secretary  Shalala  and  her 
staff  have  worked  effectively  to  establish  principles  to  safeguard 
the  privacy  of  medical  records,  while  still  allowing  the  uses  of  med- 
ical information  that  are  necessary  for  effective  delivery  of  health 
care.  Her  task  was  a  challenging  one,  and  I  commend  the  Secretary 
for  the  thoroughness  of  her  work  in  addressing  the  many  complex- 
ities of  this  difficult  issue.  I  have  always  maintained  that  medical 
records  should  have  protections  similar  to  those  extended  to  video 
rental  records.  Therefore,  I  am  concerned  that  this  regulation  gives 
law  enforcement  officials  broad  access  to  these  personal  records, 
but  I  beheve  we  could  address  this  when  we  take  up  comprehensive 
legislation. 

The  regulations  proposed  by  Secretary  Shalala  are  an  important 
step  toward  assuring  the  confidentiality  of  health  information. 
Nonetheless,  more  remains  to  be  done.  In  formulating  the  regula- 
tions that  are  the  subject  of  today's  hearing.  Secretary  Shalala  was 
quite  properly  constrained  by  the  legislative  boundaries  of  the  1996 
Act. 

A  major  focus  of  the  Act  was  on  electronic  medical  records,  rath- 
er than  the  paper  records  that  still  form  the  vast  majority  of  pa- 
tients* medical  files.  To  conform  to  a  narrow  reading  of  the  Act,  the 
Secretary  proposes  to  restrict  the  scope  of  the  regulations  to  elec- 
tronic records.  Many  legal  scholars  have  agreed  that  extending  the 
coverage  of  privacy  regidations  to  paper  records  would  be  within 
the  scope  of  the  Act,  and  I  urge  the  Secretary  to  consider  such  an 
extension. 

In  accord  with  the  Act,  the  regulations  cover  only  a  few  specified 
types  of  businesses,  rather  than  directly  covering  all  businesses 
with  access  to  a  patient's  records.  In  today's  complex  health  care 
environment,  a  patient's  medical  information  may  pass  from  a  doc- 
tor to  an  insurer  to  a  pharmacy  to  a  marketer  of  medical  prod- 
ucts— all  with  the  click  of  a  mouse.  Congressional  action  would  pro- 
tect all  health  information — ^however  it  is  transmitted  and  wher- 
ever it  exists. 
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Finally,  the  Act  did  not  provide  for  the  right  of  citizens  to  seek 
legal  remedies  if  the  confidentiality  of  their  records  is  violated. 
Past  experience  shows  that  a  private  right  of  action  is  an  effective 
deterrent  against  violations,  and  only  a  private  action  can  provide 
adequate  compensation  when  deterrence  fails.  To  restore  the  trust 
of  patients  in  the  confidentiality  of  their  medical  records  and  to 
protect  that  trust  with  effective  enforcement,  we  must  pass  com- 
prehensive medical  privacy  legislation. 

I  look  forward  to  the  testimony  from  today's  witnesses.  I  particu- 
larly welcome  Janlori  Goldman,  whose  expert  advice  was  especially 
valuable  during  last  year's  deliberations  on  medical  privacy  in  this 
committee,  and  Dr.  Greg  Koski  from  Massachusetts  General  Hos- 
pital, who  serves  on  the  faculty  of  that  world-renowned  research  in- 
stitution and  who  is  well  known  for  his  leadership  in  preserving 
the  privacy  of  medical  records  for  patients  involved  in  medical  re- 
search. 

The  Chairman.  Thank  you. 

Let  me  first  say  that  accompan3dng  Dr.  Heinrich  today  is  Barry 
R.  Bedrick.  Mr.  Bedrick  is  an  associate  general  counsel  in  the  Gen- 
eral Accounting  Office.  He  has  been  with  GAO  since  1972  and  has 
been  in  charge  of  providing  legal  support  for  GAO's  work  on  health, 
education,  labor,  pensions,  and  related  issues  since  1989.  He  is  a 
graduate  of  Colgate  University  and  Harvard  Law  School. 

Dr.  Heinrich,  please  proceed. 

STATEMENT  OF  JANET  HEINRICH,  ASSOCIATE  DIRECTOR, 
HEALTH  FINANCING  AND  PUBLIC  HEALTH  ISSUES,  U.S.  GEN- 
ERAL ACCOUNTING  OFFICE,  WASHINGTON,  DC,  ACCOM- 
PANIED BY  BARRY  R.  BEDRICK,  ASSOCIATE  GENERAL  COUN- 
SEL 

Ms.  Heinrich.  Mr.  Chairman  and  members  of  the  committee,  we 
are  pleased  to  be  here  today  to  discuss  the  Department  of  Health 
and  Human  Services  proposed  rule  on  patient  confidentiality  issued 
last  November. 

Few  areas  of  our  lives  are  perceived  to  be  more  private  than  our 
health  and  medical  care.  Historically,  allowing  access  to  informa- 
tion contained  in  medical  records  has  been  the  responsibility  of 
physicians  and  hospitals,  with  informed  consent  from  patients  and 
their  famiUes. 

The  proliferation  of  electronic  records  and  managed  care  arrange- 
ments has  raised  questions  about  the  extent  to  which  individuals* 
health  care  information  is  protected  from  inappropriate  disclosure. 

Because  no  comprehensive  Federal  laws  have  been  enacted  to  en- 
sure confidentiality  of  patient  data  in  the  private  sector,  the  Con- 
gress included  in  the  Health  Insurance  Portability  and  Accountabil- 
ity Act,  HIPAA,  a  provision  that  the  Secretary  of  Health  and 
Human  Services  develop  legislative  recommendations  aimed  at  fill- 
ing this  gap. 

The  Congress  ftirther  stipulated  that  if  legislation  governing  pri- 
vacy standards  was  not  enacted  by  last  year,  the  Secretary  would 
issue  regulations  on  the  matter. 

At  your  request,  we  examined  the  consistency  between  the 
HIPAA  statute  and  the  proposed  rules;  we  reviewed  public  re- 
sponses to  the  rule  among  a  selected  group  of  40  organizations  rep- 
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resenting  health  care  providers,  health  plans,  patient  advocates, 
and  other  constituencies,  and  we  identified  concerns  articulated  by 
these  organizations  that  would  require  legislative  action. 

The  regulatory  approaches  HHS  adopted  in  the  proposed  rule 
seem  consistent  with  HIPAA's  purpose  of  protecting  the  privacy  of 
health  information  and  are  legally  permissible.  By  requiring  that 
entities  directly  regulated  by  the  rule — health  plans,  health  care 
providers,  and  health  care  clearinghouses — control  the  information 
processes  and  practices  of  entities  with  which  they  do  business, 
HHS  has  attempted  to  fill  an  otherwise  significant  gap  in  privacy 
protection. 

HHS  covered  the  "paper  progeny*'  of  electronically-maintained  or 
transmitted  health  information  in  their  rule.  If  they  had  not,  the 
privacy  protections  extended  to  individuals  by  HIPAA  would  be 
easy  to  circumvent  merely  by  printing  out  the  electronic  record. 

The  decision  to  build  flexibility  into  the  proposed  rule  by  allow- 
ing implementation  of  the  standards  to  vary  on  the  basis  of  an  or- 
ganization's size  is  also  within  the  authority  of  HHS.  Although 
there  are  many  sections  of  the  rule  that  elicited  little  reaction,  sug- 
gesting a  relative  lack  of  controversy,  there  were  several  areas  of 
explicit  disagreement  with  the  proposed  regulation. 

Out  of  the  more  than  50  sections  of  the  proposed  rule,  only  14 
were  commented  on  by  at  least  half  of  the  stakeholders  that  we  se- 
lected. Six  issues  drew  the  greatest  attention  across  the  40  stake- 
holder statements  that  we  reviewed. 

Let  me  simmiarize  the  major  points  of  contention.  They  are:  Pre- 
empting all  State  laws  that  are  in  conflict  with  the  rule  and  pro- 
vide less  stringent  privacy  protections;  allowing  standing  author- 
ization for  disclosures  for  treatment,  payment  and  health  care  oper- 
ations; restricting  the  amount  of  information  used  and  disclosed; 
defining  "covered  entities"  and  the  types  of  information  covered; 
specifying  procedures  for  individual  authorization  where  they  are 
still  required;  and  implementing  provisions  for  business  partner 
contracts  to  ensure  that  disclosed  information  remains  confidential. 

The  positions  taken  on  those  controversial  issues  addressed  fun- 
damental concerns  such  as  the  scope  of  the  rule,  definition  of 
terms,  and  the  consequences  of  decisions  on  the  costs  and  burdens 
imposed  by  the  rule. 

Many  organizations  cited  a  need  for  the  Congress  to  act  if  per- 
sonal health  information  is  to  be  subject  to  the  same  standards  re- 
gardless of  geography  and  argued  for  the  need  for  a  uniform  Fed- 
eral standard  preempting  all  State  laws.  Others  called  for  legisla- 
tive modification  to  extend  the  Department's  authority  to  cover  all 
identifiable  health  information,  regsirdless  of  whether  it  had  been 
electronically  stored  or  transmitted — ^in  other  words,  to  cover  the 
paper  record.  A  large  number  of  comments  from  across  the  spec- 
trum of  stakeholder  groups  advocated  legislative  changes  to  extend 
coverage  under  the  rule  to  all  types  of  entities  that  use  or  disclose 
identifiable  health  information. 

Regarding  enforcement,  there  were  only  three  stakeholders  in 
our  selected  group  that  stated  that  the  Congress  should  establish 
a  private  right  of  action  for  individuals  to  enforce  their  rights 
imder  the  privacy  rules. 
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In  conclusion,  we  found  widespread  support  for  the  goal  of  pro- 
tecting individually  identifiable  health  information  from  misuse. 
The  issue  is  not  whether  to  protect  the  confidentiality  of  medical 
records,  but  the  best  approach  for  doing  so. 

Differences  among  the  groups  reflect  the  conflicts  that  sometimes 
arise  between  the  need  for  individual  privacy  and  other  objectives 
such  as  research  or  the  need  for  reducing  cost  of  care.  As  the  De- 
partment of  Health  and  Himian  Services  considers  comments  in 
formulating  the  final  rule,  it  will  need  to  weigh  both  the  relative 
priority  to  give  to  these  other  objectives  and  the  merit  of  differing 
views  on  the  feasibility  of  alternative  approaches. 

Mr.  Chairman  and  members  of  the  committee,  this  concludes  my 
prepared  statement,  and  I  will  be  happy  to  answer  any  questions. 

[The  prepared  statement  of  Ms.  Heinrich  follows:] 
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Mr.  Chairman  and  Members  of  the  Conmiittee: 

We  are  pleased  to  be  here  today  to  discuss  the  most  recent  efforts  to  develop  a  federal  health 
privacy  policy.  Few  areas  of  our  lives  are  perceived  to  be  more  private  than  our  health  and 
medical  care.  Historically,  individuals'  access  to  information  contained  in  their  own  medical 
records  and  control  of  others'  access  to  that  information  have  largely  been  in  the  command  of 
patients,  their  physicians,  and  providers  such  as  hospitals.  However,  the  proliferation  of 
electronic  records  and  managed  care  arrangements  has  raised  questions  about  the  extent  to  which 
individuals'  health  care  infonnation  is  protected  from  inappropriate  disclosure.  The  disclosure 
of  personally  identifiable  medical  information  without  authorization  may  not  only  result  in 
infonnation  being  revealed  that  an  individual  wishes  to  remain  confidential  but  may  subject  an 
individual  to  discrimination  in  employment,  insurance,  or  other  matters. 

While  federal  statutes  affect  the  disclosure  of  records  imder  federally  funded  programs — such  as 
the  Medicare  program  or  veterans'  programs — no  comprehensive  federal  laws  have  been  enacted 
covering  private  sector  activities  in  this  area.  Recognizing  the  need  to  ensure  confidentiality  of 
patient  data,  the  Congress  included  in  the  Health  hisurance  Portability  and  AccountabiUty  Act  of 
1996  (HIPAA)  a  provision  that  the  Secretary  of  Health  and  Human  Services  develop  legislative 
recommendations  aimed  at  filling  this  gap.'  The  Congress  fiirther  stipulated  that  if  legislation 
governing  privacy  standards  was  not  enacted  by  August  21,  1999,  the  Secretary  should  issue 
regulations  on  the  matter.  The  Department  of  Health  and  Human  Services  (HHS)  submitted  the 
required  recommendations  to  the  Congress,  but  legislation  was  not  enacted.  HHS  issued 
proposed  regulations  on  November  3, 1999.^ 

You  asked  us  to  examine  the  proposed  regulation  in  terms  of  HHS'  legal  authority  to  act  in  this 
area  as  well  as  assess  the  reaction  from  interested  parties.  Specifically,  we  (1)  examined  the 
authoritative  basis  in  the  HIPAA  statute  for  some  of  the  approaches  taken  by  HHS  in  the 
proposed  rule,  (2)  assessed  the  overall  pattern  of  public  responses  to  the  rule  among  a  selected 
group  of  40  organizations  representing  different  constituencies  affected  by  the  rule,  (3)  examined 
in  detail  the  content  of  the  views  expressed  by  those  organizations  with  respect  to  six  sections  of 
the  rule  that  prompted  an  especially  large  volume  of  comments,  and  (4)  identified  concerns  that 
would  require  legislative  action  to  address. 

In  addressing  these  objectives,  we  examined  the  proposed  rule  and  the  comments  submitted  in 
response  to  it  by  a  selected  group  of  40  organizations.^  In  constructing  this  list,  we  tried  to 
incorporate  those  organizations  that  had  been  active  on  this  issue  in  the  past,  as  well  as  provide 
broad  representation  of  different  constituencies  potentially  affected  by  the  rule.  Thus,  the  list 
includes  organizations  representing  patients,  health  care  providers,  standards  and  accrediting 


'HEPAA  requiied  the  Secretary  of  Health  and  Human  Services  to  submit  recommendations  to  the  Congress  on 
privacy  standards  for  individually  identifiable  health  information  addressing  at  least  the  following:  (1)  rights  of  die 
individual  who  is  the  subject  of  the  information,  (2)  procedures  for  exercising  such  rights,  and  (3)  authorized  and 
required  uses  and  disclosures  of  such  information. 

^64  Fed.  Reg.  59,918.  (Hereafter,  "proposed  rule"  or  "proposed  regulations.")  The  proposed  rtde  can  be 
accessed  at  httpV/aspe.hhs.gov/adininsimp 

'Also  referred  to  as  "stakeholders"  or  "coraracntcrs."  f 
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bodies,  goveniment  entities,  health  care  clearinghouses,  employers,  health  plans,  and  research 
and  pharmaceutical  groups.  (A  Ust  of  these  organizations  is  in  the  ^p.) 

With  regard  to  HHS'  statutory  authority,  we  reviewed  three  issues  that  you  identified  as 
potentially  problematic:  (1)  controlling  the  use  of  information  by  others  not  specifically  covered 
by  HHS'  proposed  rule  ("downstream  users")  by  requiring  covered  entities  to  enter  into  contracts 
with  business  partners;  (2)  the  extension  of  protection  to  the  paper  versions  of  electronic  data; 
and  (3)  the  "scalabiUty"  standard,  which  permits  different  covered  entities  to  decide,  on  the  basis 
of  a  judgment  of  their  administrative  capacity,  how  much  they  need  to  do  to  comply  with  the 
regulations.  In  our  review  of  the  40  stakeholders'  comments,  we  abstracted  the  positions  that 
each  took  on  the  more  than  50  sections  of  the  proposed  rule.  From  this  we  determined  which 
sections  of  the  rule  generated  comments  from  the  different  categories  of  organizations  among 
our  40  selected  stakeholders.  We  then  conducted  a  more  detailed  analysis  of  the  six  sections  of 
the  rule  that  we  foxmd  had  attracted  the  greatest  overall  interest.  We  also  took  particular  note  of 
any  recommendations  that  would  require  legislation  before  they  could  be  implemented. 

In  brief,  the  regulatory  strategies  HHS  adopted  in  the  proposed  rule  seem  consistent  with 
HDPAA's  purpose  of  protecting  the  privacy  of  health  information  and  are  legally  permissible.  By 
requiring  that  entities  directly  regulated  by  the  rule — ^health  plans,  health  care  providers,  and 
health  care  clearinghouses  (firms  that  put  information  into  standard  formats)— control  the 
information  practices  of  entities  with  which  they  do  business,  HHS  has  attempted  to  fill  an 
otherwise  significant  gap  in  privacy  protection.  For  the  same  reason,  HHS  has  covered  the 
"paper  progeny"  of  electronically  maintained  or  transmitted  health  information — the  privacy 
protections  extended  to  individuals  by  HIPAA  would  be  easy  to  circumvent  if  protected  health 
infonnation  in  an  electronic  record  lost  its  protection  merely  by  being  printed.  HHS'  decision  to 
build  flexibility  into  the  proposed  rule  by  alloAving  implementation  of  the  standards  to  vary  on 
the  basis  of  an  organization's  size  is  also  within  its  authority. 

The  stakeholders'  comments  to  HHS  reflected  sharply  divergent  views  on  several  critical  issues. 
Most  notably,  patient  advocates,  state  government  representatives,  and  providers  strongly 
supported  the  provision  of  the  rule  that  preempts  weaker  state  laws  while  leaving  intact  stronger 
ones.  Meanwhile,  health  plans  and  employers  emphasized  the  practical  difficulties  of 
implementing  the  complex  interaction  of  federal  and  different  state  standards.  Similarly,  patient 
advocates  and  law  enforcement  officials  ^jproved  of  extending  the  rule's  coverage  from  the 
three  types  of  entities  subject  to  HIPAA  regulation  to  business  partners  with  whom  these  entities 
share  protected  health  care  data.  However,  the  covered  entities  themselves  were  wary  of 
asstuning  the  responsibility  for  enforcing  compliance  by  these  other  groups.  In  some  cases,  the 
changes  desired  by  industry  groups  and  patient  advocates  would  require  congressional  action. 
For  example,  HHS  could  not  estabHsh  a  uniform  federal  privacy  standard  preempting  all 
appUcable  state  laws  unless  HIPAA  was  amended.  Similarly,  only  the  Congress  could  expand 
the  rule's  coverage  to  all  types  of  entities  that  create,  use,  and  share  protected  health  information. 
For  other  proposed  changes,  such  as  coverage  of  records  that  had  never  been  stored  or 
transmitted  electronically,  it  was  less  clear  whether  HHS  could  act  without  new  legislation. 
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BACKGROUND 

Highlights  of  the  Proposed  Rule 

The  proposed  regulation  addresses  the  protection  of  health  information  from  its  creation  and 
establishes  imifonn  requirements  for  those  handling  the  information.  Personal  health 
information  maybe  used  and  disclosed  under  conditions  specified  in  the  rule  or  when  the 
individual  authorizes  it,  and  it  must  be  disclosed  when  the  individual  wants  to  review  his  or  her 
own  information  (and  when  the  Secretary  wants  to  look  at  the  information  to  enforce  the  rule). 
Key  elements  of  the  proposed  regulation  are  shown  in  table  1. 


Table  1:  Key  Provisions  of  the  Proposed  Privacy  Regulation 


Entities  the  regulation  covers 

Covered  entities  are  all  health  plans,  health  care  providers,  and 
health  care  clearinghouses. 

Information  the  regulation 
covers 

Covered  information  is  any  that  has  been  maintained  electronically 
or  transmitted  electronically.  Such  information  is  protected  in  all  its 
manifestations,  including  its  printed  form,  when  it  is  held  by  a 
covered  entity. 

Permitted  uses  without 
individual  authorization 

"    Protected  information  may  be  used  and  disclosed  for  treatment, 
payment,  and  health  care  operations. 

■  Plans  and  providers  must  have  contracts  with  then-  business 
partners  (lawyers,  accountants,  third-party  administrators, 
accrediting  organizations,  and  others  who  perform  sendees  on 
behalf  of  a  plan  or  provider)  that  lumt  how  they  may  use  the 
information.  Covered  entities  may  be  held  responsible  for  the 
transgressions  of  their  business  partners. 

■  Information  may  be  used  without  individual  authorization  for 
pubUc  pohcy  purposes  such  as  research,  public  health 
monitoring,  health  care  oversight,  and  law  enforcement. 

Information  practices 

"    When  covered  entities  disclose  information,  they  may  disclose 
only  the  minimum  amount  necessary  to  fulfill  the  purpose.  Such 
determinations  are  to  be  made  on  a  case-by-case  basis,  when 
technologically  feasible. 

■  Covered  entities  can  meet  privacy  standards  by  removing 
specified  identifying  data  elements. 

"    Covered  entities  must  provide  up-to-date  notice  to  patients  and 

enrollees  describing  their  rights  and  how  the  entity  intends  to  use 

or  disclose  the  information. 
•    A  covered  entity  may  not  condition  treatment  or  payment  on 

obtaining  an  authorization  for  a  disclosure  for  a  nonrelated 

purpose  (such  as  marketing). 

■  Covered  entities  must  provide  individuals  on  request  with  an 
accounting  of  disclosures  of  their  identifiable  health  information.  | 
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laiividiial  righcs 

- 

■  IndividQals  have  a  rigti  to  inspect  and  copy  their  medical 
records.  Individuals  also  have  a  right  to  amend  and  correct 
erroneous  health  information. 

■  Indi\iduals  have  a  right  to  request  restri<^ons  on  further  uses  or 
disclosures  of  dieir  identifiable  health  information  in  certain 
instances. 

■  Individuals  may  file  complaints  to  a  covered  entity  and  to  the 
Secretary  of  Health  and  Human  Serrices  about  possible  privacy 
rule  violations. 

.Aifcamistiam'e  requireiriCTts 

■  Gjvered  entities  must  have  a  designated  privacy  ofBcial  to 
ovasee  privacy  practices. 

■  Covered  entities  must  develop  and  apply  sanctions  w-hen 
appropriate  to  onployees  and  business  partners  who  misuse 
infixznation. 

■  Covered  entities  must  also  develop  and  document  their  policies 
and  procedures  for  implementation  of  rule  requiremaiis. 

PlCCUiptXTO 

The  proposed  rule  preempts  state  laws  that  are  contrary  to  the  rule, 
■wiih  certain  exceptions.  Excepdons  include  state  laws  that  are  more 
stringent,  DubUc  health  surveillance  laws,  and  parental  access  laws. 

EaforcemoiC 

HHS  may  make  a  formal  finding  of  noncompliance  and  use  it  as  a 
basis  to  initiate  an  acdon  under  HIP.AA  or  to  refer  the  matter  to  the 
Department  of  Justice  for  prosecution  under  HIPAA.  HEPAA  sets 
forth  civil  and  criminal  penalties  for  -violations. 

HHS  PrcceSS  for  Obfain-rpg  Tnpnt 

on  \hc  Proposed  Regulatiot: 

Although  proposed  regulations  generally  have  a  60-day  comment  period,  HHS  extended  the  time 
period  for  submitting  comments  on  the  privacy  regulations  for  an  additional  45  days  at  the 
request  of  several  health  care  groups.  During  the  S-y^-month  comment  period,  HHS  received 
just  under  52,000  commaits.  Some  groups  organized  campaigns  to  promote  public  comment  on 
the  regulation:  30,000  letters  fix^m  one  group  were  essentially  identical,  while  10,500  submitted 
by  another  organization  wwe  more  varied  but  endorsed  similar  themes.  In  accordance  with  the 
AdhniiBStiative  Procedure  Act,  aU  comments  are  being  re\"iewed  and  summarized  for  inclusion  in 
fbeptambic  to  the  final  rule.  According  to  an  HHS  senior  pohcy  adviser,  the  target  date  for 
pablkatioo  of  the  final  rule  is  not  known.  The  rale  would  be  effective  26  months  after  the  final 
rule  is  published 

HHS'  IXZRT.SE  OF  ITS  RLTESLAKING  ALTHORTTt' 
IS  CO^S'STEST  VrTTH  HIP.AA 

Under  HEPAA,  HHS'  authority  to  issue  regulations  is  Limited  to  setting  standards  for  three 
specific  types  of  oitities:  health  plans,  health  care  clearin^ouses,  and  health  care  providers  that 
transmit  information  electronically  in  connection  with  specific  financial  and  administrative 
transactions.  In  the  preamble  to  the  proposed  regulations,  HHS  acknowledges  that,  because  of 
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this  limitation,  it  lacks  authority  to  implement  comprehensive  privacy  protections  and  therefore  it 
did  not  attempt  to  do  so.  Because  of  concerns  that  the  regulation  would  leave  gaps  in  protection, 
HHS  has  attempted  to  find  ways,  consistent  with  the  statute,  to  protect  privacy  even  where  it 
cannot  regulate  direcUy.  Some  have  suggested  that  HHS  has  gone  beyond  what  the  law 
authorizes  in  parts  of  tlie  proposed  rule,  while  elsewhere  it  has  left  too  much  leeway  to  the 
regulated  entities  to  decide  how  to  comply  witii  the  proposed  standards.  Specifically,  questions 
have  been  raised  about  (1)  requiring  covered  entities  to  get  assurances  that  their  business 
partners — "downstream"  users  of  the  data — ^will  safeguard  the  information;  (2)  extending 
privacy  protection  to  the  contents  of  electronic  records  in  other  forms  (such  as  printouts);  and  (3) 
partly  on  the  basis  of  their  size  and  the  nature  of  their  business,  allowing  some  regulated  entities 
to  decide  the  detailed  policies  and  procedures  for  complying  with  the  proposed  regulations  (HHS 
refers  to  this  as  "scalability"). 

We  found  that  in  these  areas  HHS  did  not  exceed  its  statutory  authority.  HHS  has  broad 
authority  to  decide  how  to  administer  programs  for  which  it  is  responsible  and  to  interpret  the 
statutes  establishing  those  programs,  such  as  HIPAA.  In  developing  the  proposed  regulations, 
HHS  has  used  this  authority  to  regulate  areas  in  which  it  reads  the  law  as  leaving  room  for 
discretion. 

Requiring  Safeguards  by  Business  Partners 

The  proposed  regulations  would  require  covered  entities  (health  plans,  health  care 
clearinghouses,  and  any  health  care  providers  that  transmit  health  information  in  electronic  form) 
to  get  assurances  from  business  partners  that  they  in  turn  yfiW  safeguard  the  information. 
Business  partners  include  lawyers,  auditors,  consultants,  data  processing  firms,  and  others  to 
whom  the  covered  entity  discloses  protected  health  information  so  that  the  business  partner  can 
carry  out  a  fimction  of  the  covered  entity. 

The  assurance  required  is  a  written  contract  explicitly  limiting  the  business  partner's  uses  and 
disclos\ire  of  the  information  and  imposing  security,  inspection,  and  reporting  requirements  on 
the  business  partner.  The  regulations  further  protect  the  information  in  the  hands  of  downstream 
users  by  requiring  the  business  partner  to  ensure  that  any  subcontractors  or  agents  to  whom  it 
provides  protected  health  information  will  agree  to  the  same  restrictions  and  conditions  that 
apply  to  the  business  partner.  The  covered  entity  is  to  be  held  responsible  for  any  of  the  business 
partner's  material  breaches  of  the  coniract  if  the  covered  entity  either  knew  of  them,  or 
reasonably  should  have  known,  and  faiicu  to  take  reasonable  steps  to  remedy  them. 

We  find  these  provisions  to  be  reasonable  and  wi  hin  HHS'  authority  to  promulgate.  They  are 
consistent  with  HIPAA's  purpose  of  protecting  the  privacy  of  individually  identifiable  health 
information;  without  some  control  over  downstream  use,  the  protection  afforded  by  the  rule 
would  be  significantly  weakened.  The  business  partner  provisions  fill  a  gap  left  by  HIPAA  by 
providing  needed  protection  not  explicitiy  provided  for  by  the  statute,  without  directly  imposing 
requirements  on  entities  not  covered  by  the  statute. 

In  proposing  this  part  of  the  rule,  HHS  recognized  that  many  of  those  who  would  likely  obtain 
personally  identifiable  health  information  from  covered  entities  are  not  themselves  entities 
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covCTed  by  the  statute  and  that  it  did  not  have  authority  to  directly  regulate  their  use  of  the 
information.  Although  HHS  would  be  acting  beyond  its  HIPAA  authority  if  it  attempted  directly 
to  regulate  entities  not  covered  by  the  statute,  that  is  not  the  case  here:  the  proposed  regulations 
distinguish  clearly  between  treatment  of  covered  entities  and  treatment  of  business  partners. 
First,  the  requirements  to  be  imposed  on  business  partners  arise  only  if  a  party  voluntarily 
chooses  to  do  business  with  a  covered  entity.  Second,  business  partners  are  not  subject  to 
enforcement  action  by  HHS;  HHS'  enforcement  authority  is  limited  to  covered  entities.  Third, 
the  safeguards  being  required  of  business  partners  are  not  as  extensive  as  those  the  regulations 
would  require  of  covered  entities.  For  example,  business  partners,  unlike  covered  entities,  are 
not  required  to  develop  and  distribute  an  explanation  of  their  privacy  practices  to  individuals. 

If  someone  to  whom  a  covered  entity  disclosed  information  in  the  course  of  business  could 
disclose  it  further  with  impunity,  the  protection  afforded  would  be  worth  little.  HHS  therefore 
proposed  this  obligation  for  covered  entities  to  exercise  control  by  contract  over  use  of 
information  provided  by  them  to  business  partners. 

Extending  Protection  to  the  Paper  Record  of  Electronic  Data 

Another  issue  that  has  been  raised  is  whether  HHS  has  authority  under  HIPAA  to  regulate 
nonelectronic  records  as  well  as  electronic  data.  The  proposed  rule  appUes  standards  of 
protection  to  information  that  has  been  electronically  transmitted  or  maintained  by  a  covered 
entity,  including  such  information  in  any  other  form.  Thus,  the  regulations  would  apply  when 
the  electronic  information  is  printed,  discussed  orally,  or  otherwise  changed  in  form.  The 
regulations  also  J^ply  to  the  original  paper  version  of  information  that  is  subsequently 
transmitted  electronically. 

We  find  nothing  in  HIPAA  that  restricts  HHS'  rulemaking  authority  related  to  identifiable  health 
records  to  electronic  data  only.  HHS  states  in  the  preamble  to  the  proposed  rule  that  it  has 
authority  under  HIPAA  to  set  privacy  standards  that  apply  to  all  individually  identifiable  health 
information,  including  information  in  a  nonelectronic  form.  The  privacy  protections  afforded 
individuals  by  HIPAA  would  in  effect  be  negated  if  health  information  lost  its  protection  merely 
by  being  printed  or  read  aloud. 

The  rule  was  issued  under  authority  in  the  law  that,  while  referring  to  electronic  exchanges,  is 
not  unequivocally  limited  to  such  exchanges.  HHS  is  to  issue  regulations  concerning  "standards 
with  respect  to  the  privacy  of  individually  identifiable  health  information  transmitted  in 
connection  with  [transactions  described  in  a  list,  in  another  section  of  the  law]."  As  HHS  points 
out,  this  language  is  not,  on  its  face,  limited  to  electronic  transmissions  of  individually 
identifiable  health  information,  although  electronic  transmissions  are  clearly  within  its  scope. 

HHS*  approach  to  this  issue  is  reasonable  and  balanced.  Although  HHS  believes  that  it  has 
authority  to  issue  regulations  covering  individually  identifiable  health  information  in  any  form,  it 
limited  the  proposed  regulations  to  individually  identifiable  health  information  that  is  at  some 
point  electronically  maintained  and  transmitted  by  a  covered  entity.  HHS  explains  that  this 
approach  focuses  most  on  the  primary  concern  of  HIPAA — the  effect  on  confidentiality  of  health 
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care  infonnation  of  the  growing  use  of  computerization  in  health  care,  including  electronic 
transfers. 

Scalability 

Another  area  of  the  regulation  about  which  questions  have  been  raised  is  "scalability." 
"Scalability"  refers  to  allowing  covered  entities,  which  vary  greatly  in  size,  to  decide  for 
themselves  the  detailed  policies  and  procedures  they  will  use  in  complying  with  various  privacy 
standards.  It  has  been  suggested  that  such  a  practice  is  problematic  in  that  it  leaves  to  the 
covered  entity  the  decision  of  how  to  comply. 

HHS  explained  in  the  preamble  to  its  proposed  regulation  that  the  standards  are  to  be 
implemented  by  all  covered  entities,  from  a  small,  single-physician  practice  to  the  largest 
multistate  health  plan.  HHS'  approach  is  to  propose  the  privacy  principles  and  standards  that 
covered  entities  must  meet  but  to  leave  detailed  policies  and  procedures  for  meeting  the 
standards  to  the  discretion  of  the  covered  entities.  Fiulhermore,  while  all  covered  entities  must 
meet  the  standards  and  are  subject  to  the  penalties  in  HIPAA,  HHS  said  it  intends  the 
implementation  of  the  proposed  rules  to  be  flexible  and  scalable  in  order  to  account  for  the 
natxire  of  the  covered  entities'  businesses  as  well  as  the  covered  entities*  size  and  resources.^ 

An  example  of  the  application  of  "scalability"  is  that  the  proposed  regulations  require  each 
covered  entity  to  designate  a  "privacy  ofBcial"  to  develop  privacy  policies  but  allow  the  entity  to 
decide  for  itself  details  such  as  whether  the  official  would  have  other  duties  not  related  to 
privacy.  HHS  observed  that  a  small  office  might  designate  the  office  manager,  who  has  a  variety 
of  administrative  duties,  as  the  privacy  official,  whereas  a  large  entity  might  designate  a  person 
whose  sole  responsibiUty  is  privacy  policy.  Similarly,  the  regulations  require  covered  entities  to 
have  a  mechanism  for  receiving  complaints  from  individuals  regarding  compliance  with  the 
privacy  regulations,  but  they  leave  it  up  to  the  entities  to  decide  what  that  mechanism  is.  A 
smaller  entity  might  have  a  more  informal  process  than  a  larger  entity. 

HHS'  decision  to  build  flexibility  and  scalability  into  the  proposed  rule  to  account  for  differences 
in  entity  size  is  within  its  authority.  The  agency's  approach  requires  compliance  with  the 
standards  by  all  covered  entities,  while  allowing  each  covered  entity  to  devise  its  strategy  to 
protect  privacy  information. 

SUPPORT  FOR  PRIVACY  PROTECTION 

IS  WIDESPREAD.  WHILE  MOST  CONCERNS 

FOCUSED  ON  CERTAIN  KEY  PROVISIONS 

In  reviewing  the  comments  submitted  by  40  selected  stakeholders  representing  diverse  affected 
constituencies  in  the  medical  privacy  debate,  we  found  widespread  support  for  the  goal  of 
protecting  individually  identifiable  health  information  from  misuse.  For  this  group,  the  issue  is 


*HHS  did  this,  in  part,  to  con^ly  with  the  Regulatory  Flexibility  Act,  which  requires  among  other  things  that 
agencies  take  and  document  steps  to  minimize  die  significant  economic  iiiq>act  of  their  proposed  rules  on  small 
entities.  In  its  initial  regulatory  flexibility  analysis,  HHS  stated  that  its  guiding  principle  concerning  how  to  address 
die  burden  on  small  entities  has  been  to  make  the  provisions  scalable. 
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not  whether  to  protect  medical  records  privacy  but  what  is  the  best  approach  for  achieving  it. 
Their  comments  indicated  much  impUni  agreement  and  several  areas  of  expUcit  disagreement 
with  the  proposed  regulation. 

There  were  many  sections  of  the  rule  that  elicited  little  reaction — suggesting  a  relative  lack  of 
controversy — although  othCT  groups  not  included  in  our  review  could  well  take  a  different 
position.  Areas  of  die  rule  attracting  the  least  concern  (four  or  fewer  groups)  included  fairly 
specialized  sections  (such  as  application  to  military  services)  as  well  as  sections  of  potentially 
hroada  impact  (such  as  treatmoit  of  minors  and  disclosures  in  emergency  ciromistances). 
Fewer  than  10  of  the  40  stakeholders  had  anything  to  say  about  how  the  regulation  addressed 
such  issues  as  designation  of  a  privacy  official,  disclosures  for  banking  and  payment  processes, 
and  disclosures  for  public  health  activities.  A  somewhat  larger  group  (10  to  IS  organizations) 
commented  on  die  sections  covering  healdi  oversight  activities,  enforcement,  and  compliance, 
and  on  the  lengthy  policies  and  procedures  section. 

Only  14  sections  wctc  commented  on  by  at  least  half  (20)  of  the  stakdiolders  in  our  group,  with 
six  secti(Mis  drawing  the  greatest  attmtion.  (See  table  2.)  These  were  provisions  that  would  (1) 
preempt  state  laws  that  are  in  conflict  with  the  rule  and  provide  less  stringent  privacy 
protections;  (2)  allow  standing  authorization  for  disclosures  for  treatment,  payment,  or  health 
care  operations;  (3)  restrict  the  amount  of  information  used  and  disclosed  to  die  "minimum 
necessary";  (4)  identify  the  entities  and  types  of  health  information  covered  by  the  rule;  (S) 
specify  procedures  for  individual  authorizations  where  they  are  still  required;  and  (6)  set 
piovisioas  for  business  partner  contracts  to  ensure  that  disclosed  information  remains 
confidentiaL 


Tabk  2;  Tgpi«  of  Qv^f  Cgnggg  ^9  4Q  ^e\K\<f4  S^gtwldCT? 


Section  of  proposed  privacy  regnlatioas 

Number  of  orgaoizatioas 
addressiag  section  la 
tketr  commeats 

Relationship  to  state  laws 

34 

Disclosure  for  treatment,  payment,  and  health 
care  operatioos 

34 

'^finiimim  necessary"  disclosure 

34 

Covered  infixmation  and  covered  entities 

34 

Disclosure  requiring  individual  authorization 

32 

Business  partner  agreements 

31 

Removal  of  identifying  information 

25 

Right  to  request  restrictions 

25 

Accounting  for  disclosures  of  informatimi 

24 

Disclosure  for  researdi 

23 

Written  notice  of  informatioo  practices 

23 

Inspection  and  copying  of  records 

23 

Amendment  and  coirectioo  of  records 

21 

Disclosure  for  law  enforcement 

20 
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Six  sections  generating  comments  by  the  most  stakeholders  are  distinguished  by  the  breadth  of 
interest  across  the  40  organizations  included  in  our  review.  With  one  exception,  they  drew 
comments  from  all  or  nearly  all  of  the  groups  in  six  or  seven  of  the  eight  stakeholder  categories.^ 
By  contrast,  the  remaining  sections  in  table  2  engaged  the  interest  of  some  stakeholder  categories 
more  than  others.  The  section  on  protecting  privacy  by  removing  identifying  information  drew 
extensive  comments  from  four  of  the  eight  categories  of  stakeholders.  None  of  the  other  sections 
listed  in  table  2  attracted  this  level  of  interest  in  more  than  three  of  the  eight  stakeholder 
categories.  For  example,  extensive  comments  on  disclosures  for  research  purposes  were  limited 
to  research  and  pharmaceutical  groups  plus  health  care  clearinghouses  and  providers.  Patient 
advocates,  government  entities,  and  health  care  providers  were  most  active  in  providing 
comments  for  the  section  on  law  enforcement. 

COMMENTS  ON  MOST  CONTROVERSIAL  SECTIONS 
INDICATED  DISAGREEMENT  ON  SCOPE  AND  FEASIBILITY 

In  summarizing  the  content  of  the  comments,  we  focused  on  the  six  sections  of  the  proposed  rule 
that  attracted  the  most  comments  from  all  types  of  stakeholders.  As  noted  above,  of  the  more 
than  50  sections  of  the  proposed  regulation,  only  these  six  drew  comments  from  at  least  three- 
quarters  of  the  stakeholders  we  examined.  The  positions  taken  on  these  controversial  sections 
addressed  fundamental  issues  such  as  the  scope  of  protected  information  and  the  responsibiUties 
of  different  groups  to  safeguard  that  information,  as  well  as  the  consequences  of  those  decisions 
on  the  costs  and  burdens  imposed  by  the  rule. 

Preemption  of  State  Laws 

Thirty-four  of  the  40  stakeholders  addressed  the  provision  that  the  nUe  would  serve  as  a  federal 
floor  of  protection  rather  than  preempting  all  state  laws.  The  proposed  rule  will  not  preempt 
current  or  future  state  laws  if  they  are  "more  stringent  than"  the  regulation.*  States  may  apply  to 
the  Secretary  of  Health  and  Human  Services  for  waivers  from  federal  preemption;  the  regulation 
sets  out  applicable  categories  of  exceptions.  The  Secretary  may  also  issue  advisory  opinions — at 
the  request  of  a  state  or  on  her  own  initiative — as  to  whether  a  provision  of  state  law  constitutes 
an  exception  because  it  is  more  stringent  than  the  regulation. 

The  overriding  comment,  made  by  more  than  half  of  those  remarking  on  this  section,  was  that 
the  federal  rule  should  preempt  state  laws  and  regulations  to  create  a  single,  national  standard  for 
handling  health  information.  This  position  was  made  by  all  of  the  health  plans,  health  care 
clearinghouses,  and  employers  whose  comments  we  reviewed.  Recognizing  that  HIPAA  does 
not  allow  HHS  regulations  to  supersede  state  laws  that  provide  greater  privacy  protections. 


'stakeholders  fell  into  the  following  categories:  patient  advocates,  health  care  providers,  standards  and  accrediting 
organizations,  governmental  entities,  health  care  clearinghouses,  employers,  health  plans,  and  research  and 
pharmaceutical  groups. 

*The  proposed  rule  would  not  preempt  several  categories  of  state  laws,  including  those  relating  to  reporting  of 
disease,  injury,  or  child  abuse;  birth  and  death  reporting;  public  health  investigation  and  reporting;  and  laws 
designed  to  prevent  fraud  and  abuse. 
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several  of  these  organizations  called  for  congressional  action  to  overcome  this  legislative 
restriction  on  HHS. 

In  contrast,  eight  other  groups,  including  patient  advocates,  state  government  representatives, 
and  providers,  indicated  support  for  partial  federal  preemption  as  provided  in  the  proposed  rule. 
They  argued  that  it  is  appropriate  to  establish  a  federal  floor  so  that  rights  already  granted  by 
state  legislatures  are  not  revoked  and  that  states  remain  free  to  address  future  privacy  concerns. 
Some  comments  focused  on  the  value  of  qjplying  the  strongest  privacy  policy,  whether  it 
derived  from  federal  or  state  law.  Others  particularly  favored  the  state  role  in  this 
area,  with  some  asserting  that  certain  additional  categories  of  state  laws  should  always  take 
precedence  over  the  proposed  rule.' 

Many  of  the  organizations  criticized  the  provision  for  partial  federal  preemption  of  state  law  as 
overly  burdensome  or  excessively  costly  to  implement.  In  particular,  they  asserted  that 
substantial  expense  would  be  incurred  in  reviewing  state  laws  and  determining  whether  a  state 
law  or  the  proposed  rule  is  applicable  in  any  given  situation.  The  Blue  Cross  Blue  Shield 
Association  noted  that  "covered  entities  will  be  unable  to  navigate  the  labyrinth  of  state  privacy 
laws  under  the  complex  construct  of  the  HIPAA  regulatory  model." 

Several  stakeholders  also  complained  that  the  language  in  the  proposed  regulation  was  vague  and 
confusing.  One  issue  mentioned  was  how  to  define  a  stronger  protection  in  state  law.  As  the 
Healthcare  Leadership  Council  put  it,  "many  state  laws  are  enacted  as  part  of  a  complete 
initiative,  where  some  provisions  are  less  protective  because  others  are  more  protective."  This 
argument  was  ampUfied  in  calls  for  the  regulation  to  further  clarif>'  the  statiitory  terms 
"provision,"  "state  law,"  "contrary,"  "relates  to,"  and  "more  stringent."  Some  stakeholders 
specifically  asked  the  Secretary  to  issue  state-by-state  preemption  guidance  so  that  covered 
entities  could  avoid  making  potentially  erroneous  preemption  decisions. 

The  lack  of  preemption  guidance  was  of  particular  concern  to  health  plans  and  providers,  given 
that  the  regulation  allows  only  states  to  ask  for  exceptions  to  preemption  and  preemption 
advisory  opinions.  Several  stakeholders  suggested  that  HHS  should  be  required  to  respond  to 
requests  for  advisory  opinions  and  exception  determinations  in  a  timely  manner.  Timely 
publication  or  public  notice  of  these  opinions  and  determinations  was  also  cited  as  important. 
Because  HHS  may  not  be  able  to  handle  the  volume  of  exception  determination  requests,  both 
the  National  Association  of  Insurance  CommissiouvTS  and  the  National  Conference  of  State 
Legislatures  requested  that  state  law  be  presumed  to  qualify  for  exception  fix>m  preemption  until 
HHS  makes  a  determination  to  the  contrary. 


'Specifically  cited  were  state  public  safety  laws;  psychotherapist/patient  privilege  and  "duty  to  warn"  case  law  and 
statutes;  sute  laws  providing  exceptions  to  inspection/copying  requirements;  access  privilege  laws  protecting 
attoniey-client  communications  and  quality  assurance,  medical  appeals,  peer  review,  credentialing,  and  corporate 
compliance  activities;  and  state  regulatory  functions  not  specifically  listed  (mailcet  conduct  examinations, 
enforcement  investigations,  and  consumer  conqilaint  handling). 
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Covered  Information  and  Covered  Entities 

The  ^plicability  section  of  the  regulation  specifies  which  entities  are  covered  and  which 
information  is  protected.  Because  HEPAA  provides  that  the  regulation  applies  only  to  health 
plans,  health  care  clearinghouses,  and  any  health  care  providers  that  transmit  health  information 
in  electronic  form,  HHS  does  not  have  the  authority  to  apply  these  standards  directly  to  any  other 
entities.^  The  rule  £^plies  only  to  "protected  health  information,"  defined  as  identifiable 
infomiation  that  is  electronically  maintained  or  transmitted  by  a  covered  entity,  and  such 
information  in  any  other  form. 

Nearly  half  of  all  the  groups  commenting  on  this  section  made  the  same  point:  the  rule  also 
should  protect  health  information  in  paper  records  that  had  not  been  maintained  or  transmitted 
electronicaUy.  At  least  one  organization  in  almost  every  category  mentioned  a  need  to  extend 
the  scope  of  the  rule  to  all  individually  identifiable  health  information,  including  purely  paper 
records.  These  organizations  generally  believe  that  this  distinction  is  not  only  less  protective  of 
privacy  but  also  imworkable.  In  contrast,  several  commenters  want  a  definition  of  protected 
health  information  that  excludes  pure  paper  records.  Some  of  these  groups  suggested  that  HHS' 
authority  only  extends  to  the  electronic  transmission  of  information,  not  to  the  information's 
form  before  or  after  the  transmission.  A  few  stakeholders  asserted  that  HHS*  authority  over 
health  information  does  not  extend  beyond  the  nine  standard  HIPAA  transactions.' 

Although  many  groups  contended  that  all  information  regarding  a  patient  that  is  maintained  by  a 
covered  entity  should  be  subject  to  the  rule,  almost  as  many  commenters  asserted  that  the  health 
information  definitions  under  the  rule  should  not  be  construed  broadly.  For  the  most  part,  these 
latter  stakeholders,  primarily  research  groups,  clearinghouses,  and  health  plans,  were  concerned 
that  broad  definitions  have  the  potential  to  impede  the  delivery  and  quality  of  health  care. 
BlueCross  BlueShield,  for  example,  suggested  that  protected  information  exclude  all  information 
that  does  not  relate  to  an  actual  medical  record,  asserting  that  "applying  prescriptive  rules  to 
information  that  health  plans  hold  will  not  only  delay  processing  of  claims  and  coverage 
decisions,  but  ultimately  affect  the  quality  and  cost  of  care  for  health  care  consumers." 

On  the  other  hand,  nine  commenters  suggested  that  HHS  expand  the  scope  of  the  regulations  to 
cover  more  of  the  entities  that  use,  disclose,  generate,  maintain,  or  receive  protected  health 
information,  however  defined.  For  example,  the  Workgroup  on  Electronic  Data  Interchange 
wrote  that  all  entities  involved  in  electronic  exchange  of  individually  identifiable  health 
information  should  be  included  in  the  rule  as  health  care  clearinghouses.  Some  respondents 
specifically  remarked  that  the  definition  of  "health  plan"  needed  to  be  broadened  so  that  the 
same  rules  apply  to  other  types  of  insurers,  such  as  life,  disability,  workers'  compensation, 
automobile,  and  property-casualty  insurers.  According  to  the  National  Association  of  Insurance 


*To  cover  many  of  the  persons  who  obtain  identifiable  health  information  from  covered  entities,  the  regulation's 
"business  partners"  provision  requires  that  covered  entities  apply  privacy  protections  to  entities  with  whom  they 
contract  for  administrative  and  other  services.  See  "Requiring  Safeguards  by  Business  Partners"  on  p.  S. 

'See  PX.  104-191,  sec.  1 173(aX2).  These  transactions  are  diose  with  respect  to  (1)  health  claims  or  equivalent 
encounter  infonnation,  (2)  health  claims  attachments,  (3)  enrollment  and  disenrollment  in  a  health  plan,  (4) 
eligibility  for  a  health  plan,  (5)  health  care  payment  and  remittance  advice,  (6)  health  plan  premium  payments,  (7) 
first  report  of  injury,  (8)  health  claim  sUtus,  and  (9)  referral  certification  and  authorization. 
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Commissioners,  in  creating  their  Health  Information  Privacy  Model  Act,  they  concluded  it  was 
"illogical  to  apply  one  set  of  rules  to  health  insurance  carriers  but  different  rules,  or  no  rules,  to 
other  carriers  that  were  using  the  same  type  of  information."  However,  the  Health  Insurance 
Association  of  America  commented  that  health  plans  should  not  include  long-term  care, 
disability,  or  dental  insurance  because  applying  the  rule  to  these  products  may  exceed  the  scope 
of  the  Secretary's  authorization  under  HIP  AA. 

Providers  and  patient  rights  advocates  mentioned  several  other  individuals  and  organizations 
they  believe  should  be  covered  by  the  rule,  including  employers,  public  health  ofiQcials, 
marketing  firms,  and  researchers.  The  American  Medical  Association  contended  that  such 
secondary  users  are  the  ones  who  are  most  likely  to  wrongfully  disclose  and  misuse  protected 
health  information.  In  contrast,  a  significant  number  of  plans,  employers,  and  research  and 
pharmaceutical  groups  thought  the  covered  entity  definitions  needed  to  be  narrowed  so  that 
certain  individuals  and  organizations — which  could  include  these  commenters  or  affiliates  of 
these  commenters — would  not  be  subject  to  the  rule.  These  commenters  were  generally 
concerned  that  the  covered  entity  definitions,  if  broadly  construed,  could  place  unnecessary 
burdens  and  costs  on  their  activities.  For  example,  three  of  these  stakeholders  opp>osed  a  covered 
aitity  definition  that  would  include  biotechnology  companies  or  manufacturers  that  provide 
product  support  services,  conduct  patient  assistance  programs,  or  conduct  postmarket 
surveillance.  According  to  Genentech,  Inc.,  "Congress  did  not  intend  that  we  or  any  other 
biotechnology  company  whose  mission  is  discovering  and  marketing  new  drugs  would  be  a 
'covered  entity'  under  [HIPAA]." 

Finally,  the  term  "enuty"  was  found  to  be  somewhat  ambiguous,  with  some  advocacy  groups 
asking  how  the  general  rule  would  apply  to  "mixed"  organizations.  This  is  an  important  issue 
because  protected  health  information  can  flow  between  the  health  component  and  the  nonhealth 
component  of  such  organizations.  Several  stakeholders  proposed  that  even  if  an  organization  is 
not  a  covered  entity,  components  within  the  organization  that  fit  the  definition  of  a  covered  entity 
should  be  subject  to  the  regulations.  Examples  provided  by  the  AFL-CIO  and  the  American 
Civil  Liberties  Union  included  on-site  health  clinics  operated  by  an  employer,  and  a  school  nurse 
who  is  employed  by  or  under  contract  with  a  school  or  school  system. 

Business  Partner  Contracts 

Because  HLPAA  authorized  HHS  to  regulate  the  practices  of  only  three  entities — health  plans, 
health  care  providers,  and  health  care  clearinghouses — HHS  developed  the  concept  of  "business 
partners"  as  a  way  of  providing  privacy  protection  to  identifiable  information  obtained  by  other 
organizations  in  the  course  of  performing  business  functions  on  behalf  of  covered  entities. 
Support  for  this  provision  focused  on  its  perceived  necessity — otherwise  much  identifiable 
health  information  would  have  limited  privacy  protection — ^while  criticism  highlighted  the 
burden  of  negotiating  and  administering  thousands  of  different  contracts. 

The  business  partner  concept  generated  vociferous  opposition  from  many  of  the  organizations 
commenting  on  the  proposed  rule.  Eight  groups  including  health  plans  and  employers  as  well  as 
physicians  urged  that  HHS  drop  this  approach  altogether.  Two  patient  rights  groups  plus  the 
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National  Association  of  Attorneys  GCTeral  expressed  support  for  the  business  partner  section  as 
written  in  the  proposed  rule. 

Many  of  the  stakeholders  opposed  to  this  provision  argued  that  it  would  result  in  a  vast  number 
of  contractual  relationships  tfiat  would  be  both  costly  and  burdensome  to  implement.  The  Joint 
Commission  for  the  Accreditation  of  Healthcare  Organizations,  for  example,  estimated  that  it 
would  have  to  enter  into  approximately  20,000  separate  contracts  if  it  was  forced  to  operate  as  a 
business  partner  in  accrediting  health  care  providers.  Several  conamenters  also  maintained  that 
the  Secretary  of  Health  and  Human  Services  lacks  the  authority  to  indirectly  extend  the  scope  of 
privacy  protections  beyond  the  covered  entities  designated  in  HIPAA. 

Over  half  of  the  commenters  provided  suggestions  intended  to  make  the  iq)plication  to  business 
partners  less  onerous.  The  single  most  frequent  reconunendation,  endorsed  by  12  of  the  31 
groups  commenting  on  this  section  of  the  proposed  rule,  would  exempt  covered  entities  from  the 
definition  of  "business  partner."  The  logic  underlying  this  suggestion  is  that  any  group  that  was 
a  covered  entity  was  already  obligated  to  protect  the  privacy  of  identifiable  health  information, 
making  business  partner  contracts  between  covered  entities  unnecessary.  Similarly,  the  Joint 
Commission  and  the  National  Committee  on  Quality  Assurance  argued  that  accrediting 
organizations  such  as  themselves  act  as  health  oversight  agencies  on  behalf  of  government 
programs  and  therefore  should  not  be  treated  as  business  partners. 

A  second  major  area  of  concern  among  stakeholders  commenting  on  this  section  involved  the 
degree  to  which  covered  entities  would  be  expected  to  monitor  the  compliance  of  their  business 
partners  with  their  contractual  obligations.  Some  sought  to  weaken  the  language  of  the  proposed 
rule,  which  would  hold  the  covered  entities  responsible  when  they  "knew  or  reasonably  should 
have  known"  about  privacy  violations  committed  by  their  business  partners  and  failed  to  act. 
Eleven  organizations  including  health  plans,  employers,  and  providers  supported  the  view  that 
covered  entities  should  not  be  responsible  for  the  actions  of  their  business  partners  at  all,  or  at 
most  just  for  those  violations  that  they  actually  knew  about.  By  contrast,  the  National 
Association  of  Attorneys  General  specifically  endorsed  the  idea  that  covered  entities  should 
routinely  monitor  the  compliance  of  their  business  partners. 

Finally,  there  was  widespread  opposition  among  six  of  the  eight  stakeholder  categories  to  the 
requirement  in  the  proposed  rule  that  business  partner  contracts  include  a  provision  stating  that 
the  individuals  whose  identifiable  information  was  disclosed  were  "third  party  beneficiaries  of 
the  contract."  This  was  generally  presumed  to  provide  individuals  whose  privacy  was  violated  in 
some  way  a  basis  for  a  "private  ri^t  of  action,"  allowing  them  to  file  a  lawsuit.  Such  recourse  is 
not  provided  in  HIPAA  directly,  and  18  different  commenters  took  exception  to  this  apparent 
effort  to  achieve  that  goal  through  business  partner  contracts. 

Standing  Authorization  for  Disclosures  for 
Treatment.  Payment,  and  Health  Care  Operations 

A  central  element  of  the  proposed  rule  is  to  move  away  from  requiring  patients  to  consent  to 
sharing  their  identifiable  health  information  in  order  to  have  their  health  care  services  paid  by  a 
third  party.  Instead,  the  rule  would  grant  standing  authority  to  health  plans,  health  care 
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providers,  and  health  care  clearinghouses  to  share  this  information  as  they  perform  their  routine 
tasks  in  administering  health  care  services.  In  fact,  the  rule  would  prohibit  covered  entities  from 
requesting  such  authorization  unless  it  was  required  by  state  or  otha-  applicable  law.  Many  of 
the  commenleTS  endorsed  this  shift  to  standing  authorization  for  such  routine  administrative 
purposes,  including  organizations  representing  providers,  accrediting  agencies,  researchers,  and 
health  plans.  Fourteen  groiqjs  agreed  thial  providers  and  health  plans  should  be  allowed  to  obtain 
patiait  consent  for  these  purposes.  They  found  the  process  of  obtaining  consent  was  useful  for 
maintaining  trust  and  keying  patients  informed  even  if  it  was  not  legally  required. 

The  main  controversies  involving  this  section  concern  the  scope  of  activities  encompassed  by  the 
terms  "treatment,"  'payment,"  and  "health  care  operations."  Several  patient  rights  and  provider 
groups  felt  that  these  terms  were  defined  too  broadly.  For  example,  the  Georgetown  University 
Health  Privacy  Project  requested  that  the  definitions  of  treatment  and  payment  be  narrowly 
construed  as  applying  only  to  the  individual  who  is  the  subject  of  the  information. '°  The  Health 
Privacy  Project  and  others  also  argued  that  many  health  care  administrative  tasks  could  be 
performed  vvithout  using  identifiable  health  data.  There  was  also  a  general  wariness  of 
administracve  activities  that  could  serve  odier  purposes,  such  as  marketing. 

By  contrast,  most  health  plans  and  employers  pressed  HHS  to  expand  its  definition  of  treatment, 
payment,  and  health  care  operations  so  as  to  explicitly  include  such  activities  as  disease  and  risk 
management,  health  promodon,  qualit>'  improvement  and  outcomes  evaluation,  cost- 
effectiveness  reviews,  and  integrated  health  and  disability  programs.  Many  insurers  wanted 
cxphcit  inclusion  of  underwriting  and  fi^ud  prevention  and  investigation.  Several  commenters 
maintained  that  efforts  to  improve  quality  of  care  and  promote  innovation  in  health  care  could 
suffer  if  the  definition  of  health  care  operations  means  that  providers  and  health  plans  could  not 
readily  t^Jce  advantage  of  the  identifiable  health  data  needed  for  these  initiatives. 

Some  argued  that  HHS  should  not  even  attonpt  to  enumerate  the  tasks  encompassed  by 
treatment,  payment,  and  health  care  operations  because  such  tasks  were  both  highly  varied  and 
prone  to  change  over  time  as  innovations  in  healdi  care  delivery  occurred.  "Every  time  we  speak 
with  our  members  regarding  this  regulation,"  noted  the  American  Hospital  Association,  'Ve 
discover  another  unanficipated,  but  legitimate,  use  of  information.  We  cannot  foresee  all 
possible  legitimate  and  necessary  uses  of  information  any  better  than  HHS  staff."  Some 
commenters  recommended,  as  an  alternative  to  an  exhaustive  list,  a  more  general  authorization 
to  share  data  reasonably  related  to  treatment,  payment,  and  health  care  operations. 

Mir'TniTTTi  Necessary  Information 

HHS  proposed  that  covered  entities  be  prohibited  &om  using  or  disclosing  more  than  the 
minimum  amount  of  protected  information  necessary  to  accomplish  the  intended  purpose  of  the 
disclosure  (taking  into  consideration  practical  and  technological  limitations  and  costs).  With 
certain  exceptions,  covered  entities  would  be  required  to  take  steps  to  limit  the  amount  of 
infonnation  disclosed  from  a  record  to  the  information  needed  by  the  recipient  for  a  specific 
purpose. 


"•The  Health  Privacy  Project  claimed  that  many  people  be  mortified  to  learn  that  their  health  infonnation 

WIS  being  reviewed  for  the  treatment  of  odien-particuluiy  people  they  know." 
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Thirty-four  of  the  40  selected  organizations  commented  on  this  topic,  and  13  of  them — 
representing  every  category  of  stakeholder — indicated  support  for  the  provision  as  written  or 
with  modifications.  Healtheon/WebMD  was  particularly  stq>portive,  saying  the  requirement 
**will  encourage  better  system  design,  attention  to  access  controls,  and  more  thoughtful 
transmission  of  data  with  a  resultant  improvement  in  privacy  protection." 

Another  nine  conunenters,  including  providers,  research  organizations,  and  health  plans,  called 
for  substantial  modification  of  the  standard,  or  that  it  be  deleted  from  the  rule  entirely.  These 
stakeholders  generally  believed  that  the  "minimum  necessary"  standard  is  unworicable  in  its 
current  form.  Moreover,  six  groups,  mostly  those  associated  with  employers  and  health  plans, 
found  the  provision  excessively  burdensome  or  costly  to  implement. 

The  conunent  most  often  made  on  this  section  was  that  the  exclusion  of  important  clinical 
information  could  adversely  affect  patient  care.  Concerned  that  the  standard  would  hinder  the 
free  flow  of  critical  medical  information,  letters  from  several  stakeholders  suggested  that  the 
minimum  necessary  requirement  not  be  applied  to  disclosures  related  to  treatment.  As  the 
American  Hospital  Association  put  it,  'Vhat  may  appear  unnecessary  from  the  lab  technician's 
or  nurse's  perspective  may  be  essential  for  the  physician's  diagnosis  of  the  patient's  condition. 
This  subjective  standard  could  encourage  practitioners  in  hospitals  to  withhold  information 
hundreds  and  thousands  of  times  daily  that  could  be  essential  for  later  care." 

Various  groups  wrote  that  the  limited  exceptions  to  the  standard  be  broadened.  For  exan^le,  the 
Association  of  American  Medical  Colleges  believed  disclosures  for  education  should  be 
excluded  from  the  requirement.  The  Department  of  Justice  and  the  National  Association  of 
Attorneys  General  asserted  that  the  minimum  necessary  rule  should  not  apply  to  disclosures  to 
health  oversight  agencies  and  law  enforcement  agencies,  or  to  disclosures  needed  to  process 
appUcations  for  government  benefit  programs.  The  American  Council  of  Life  Insurers  stated 
that  the  standard  should  not  apply  to  insurers  requesting  protected  information  for  underwriting 
^pUcations  or  evaluating  claims. 

Several  other  groups  held  a  contrary  position:  the  minimum  necessary  provision  should  apply  to 
all  or  most  uses  and  disclosures  of  individually  identifiable  health  information,  including  those 
for  law  enforcement,  research,  and  health  oversight  purposes.  These  stakeholders  believed  that 
the  exceptions  in  the  regulation  are  too  broad.  For  example,  the  Health  Privacy  Project  and  the 
American  Civil  Liberties  Union  wanted  the  standard  to  apply  even  when  an  individual  requests 
the  covered  entity  to  disclose  his  or  her  own  records."  Similarly,  HealtheonAVebMD  thought 
the  minimum  necessary  standard  should  apply  to  all  uses  and  disclosures  permitted  under  the 
regulation,  including  those  required  by  law.'^ 

A  significant  number  of  commenters  suggested  that  HHS  create  a  clear  definition  of  the  term 
"minimum  necessary."  Several  found  the  standard  ambiguous  and  were  uncertain  how  the 
requirement  that  only  the  "minimum  amount  of  protected  health  information  necessary"  be  used 


"Excepted  at  sec.  164.506(bXlXi) 
"Excepted  at  sec.  164.506{bXlX>»)- 
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or  disclosed  should  be  applied.  Guidance  fix)m  HHS  was  requested  by  some  stakeholdCTs 
regarding  bow  to  make  minimum  necessary  determinations.  A  few  stakeholders  are  particularly 
concerned  about  how  these  provisions  apply  to  protected  health  information  transmitted  to  health 
plans  and  anployers.  Quintiles  Transnational  wrote  that  "the  definition  of  'minimum  necessary' 
is  highly  subjective  and  no  bright  line  test  or  guidance  is  in  the  regulation  as  to  how  this 
requiranent  can  be  met"  MCTck-Medco  Managed  Care  expressed  concern  that  organizations 
would  be  put  in  "a  position  where  HHS  makes  an  after-the-fact  decision  on  whether  [the 
organization's  determination]  on  the  amount  of  information  to  disclose  was  appropriate." 

Stakeholders  noted  that  because  information  requests  are  often  vague  and  do  not  specifically 
contain  the  intended  use  of  the  infonnation,  covered  entities  may  have  difficulty  determining 
which  health  information  is  ^ropriate  to  release.  Nine  commenters  suggested  that  covered 
entities  be  allowed  to  apply  general  guidelines  rather  than  make  individual  determinations. 
Researchers  in  particular  beUeved  a  "good  faith"  gxiideline  should  be  applied  in  enforcing  the 
standard.  This  is  because,  as  elaborated  on  by  Genentech,  "in  marked  contrast  to  the 
reasonableness  and  'scalability'  discussed  in  the  preamble,  the  ooly  flexibility  in  applying  this 
standard  is  prosecutorial  discreti<«." 

Several  other  stakeholders  echoed  a  need  for  flexibility  in  the  implementation  of  this  standard, 
particulaily  for  uses  and  disclosures  within  a  covered  entity.  For  example,  the  American 
Medical  Informatics  Association  proposed  that  "covered  entities  that  use  safeguard  mechanisms 
within  [computerized  patient  record]  systons  should  be  deemed  in  con^>liance  with  the 
'minimum  necessary'  requirement."  The  Workgroup  on  Electronic  Data  Interchange  wrote  that 
covered  entities  should  be  "free  to  implement  [the  standard]  as  they  see  best"  and  "would  need 
only  to  'reasonably  determine'  the  minimum  necessary  data  to  share  within  a  covered  entity." 

Another  approach  to  addressing  the  implementation  problem,  offered  by  several  stakeholders 
across  the  spectrum,  was  to  require  that  that  the  person  requesting  the  information  make  a 
**minimum  necessary  demand."  Patient  advocacy  groups  noted  that  diis  would  be  appropriate 
when  the  disclosing  covered  entity  does  not  have  the  ability  to  determine  the  minimum  amount 
necessary.  As  stated  by  the  Medical  Grot^  Management  Association,  "it  is  likely  that  the  entity 
requesting  inforaiation  for  a  particular  purpose  is  in  a  better  position  to  make  the  minimum 
necessary  determination." 

Traditionally,  uses  and  disclosures  of  identifiable  health  infonnation  were  supposed  to  take  place 
only  with  the  authorization  of  the  individual  involved.  However,  such  authorizations  firequently 
took  the  form  of  a  "blanket  authorization"  that  the  patient  had  to  sign  in  order  to  obtain  access  to 
and  payment  for  treatment  The  proposed  rule  would  fundamentally  after  that  approach  by 
permitting  health  plans,  health  care  providers,  and  health  care  clearinghouses  to  diare  personally 
identifiable  health  data  without  authorization  from  the  patient  for  purposes  of  providing  and 
paying  for  health  care  services.  The  tmIc  would  give  other  entities  access  to  such  information 
without  individual  authorization  for  q>ecific  purposes  related  to  Icey  national  health  care 
priorities,"  These  activities  include  public  health  activities,  health  care  oversight,  and 
maintenance  of  governmental  healdi  data  systems.  Comparable  access  would  also  be  granted  to 
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promote  several  additional  iionhealth-related  priorities,  such  as  banking,  law  enforcement,  and 
judicial  and  administrative  processes. 

For  every  other  purpose,  the  proposed  rule  mandates  individual  authorizations  that  conform  with 
strict  procedural  requirements.  These  other  purposes  represent,  for  the  most  part,  nonhealth- 
related  activities,  such  as  marketing  and  fundraising.  In  addition,  the  rule  specifies  that 
psychotherapy  notes  should  not  be  disclosed  without  authorization  in  the  course  of  routinely 
administering  health  care  delivery  and  reimbursement  (though  they  are  not  shielded  firom 
disclosure  without  authorization  for  any  of  the  national  priority  purposes).  The  prohibition  on 
disclosure  without  authorization  would  also  apply  for  "research  information  unrelated  to 
treatment,"  which  the  rule  defines  as  information  developed  in  the  course  of  conducting  research 
that  does  not  have  vaUdity  or  utility  for  purposes  of  providing  treatment,  given  existing  scientific 
evidence. 

There  were  widely  scattered  comments  on  various  aspects  of  these  procedural  requirements. 
Among  those  receiving  the  widest  support  was  the  provision  that  health  plans  and  providers 
should  not  be  able  to  refuse  treatment  or  payment  because  a  patient  had  declined  to  authorize 
disclosure  of  their  identifiable  health  information  for  other  purposes.  However,  BlueCross 
BlueShield  requested  that  health  plans  be  allowed  to  condition  enrollment  on  the  provision  of 
individual  authorization  for  disclosure  of  psychother^y  notes.  There  was  also  support  among 
patient  rights  groups,  physicians,  and  state  attorneys  general  for  preventing  uses  and  disclosures 
beyond  those  authorized  by  the  individual. 

Other  comments  had  more  to  do  with  defining  the  types  of  health  data  for  v/hich  individual 
authorization  would  be  required.  Nine  commenters  foimd  the  rule's  definition  of  "research 
information  unrelated  to  treatment"  vague  or  ambiguous,  and  six  reconunended  that  HHS  drop 
this  separate  category  of  health  data  altogether.  These  commenters  were  primarily  health  plans, 
employers,  or  groups  representing  medical  researchers.  According  to  the  Biotechnology 
Industry  Organization,  "providers  anticipate  daily  struggles  in  deciding  whether  information 
resulting  firom  participation  in  a  research  protocol  should  be  included  in  a  patient's  medical 
record  (in  case  such  information  becomes  critical  to  a  patient's  treatment  at  a  later  date)  or 
whether  such  information  should  be  excluded  fi-om  the  medical  record  to  avoid  civil  and  criminal 
penalties."  This  statement  was  typical  of  the  concem  expressed  by  these  groups  toward  this 
special  category  of  identifiable  health  information. 

In  contrast,  two  patient  advocacy  groups  sought  to  ensure  that  once  information  was  classified  as 
"research  information  unrelated  to  treatment"  it  could  not  be  reclassified  at  a  later  date.  In 
addition,  privacy  advocacy  groups  sought  stronger  protection  for  "psychotherapy  notes,"  while 
comments  fi-om  a  few  health  plans  sought  to  limit  the  special  treatment  that  the  rule  would  afford 
this  category  of  identifiable  health  information. 

A  related  topic  of  widespread  interest  was  disclosure  of  protected  health  information  for 
"marketing"  purposes.  Several  stakeholders  called  on  the  Secretary  to  define  this  term.  Three 
health  plans  and  four  other  stakeholders  did  not  support  requiring  authorization  for  health-related 
activities,  even  if  they  had  a  business  coimection,  such  as  reminders  to  refill  prescriptions.  On 
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die  other  hand,  the  National  Association  of  Attorneys  Genial  would  prohibit  all  disclosures  for 
marketing  even  with  individual  auth(Hization. 

Several  commenters  expressed  a  comparable  concern  about  disclosures  for  anployment 
purposes.  The  AFL-CIO  wrote  that  employees  shoxild  be  clearly  informed  that  they  have  the 
right  to  refuse  to  authorize  disclosures  without  penalty.  A  similar  concern,  expressed  by  three 
patient  rights  groups,  was  that  employers  not  have  the  right,  without  the  authorization  of  the 
individual  involved,  to  share  identifiable  health  information  between  divisions  within  the 
organization  that  functioned  as  health  plans  or  provides  and  the  rest  of  the  company.  However, 
two  employer  groups  and  one  health  plan  said  tiiat  sharing  of  identifiable  information  within  a 
covered  entity  without  authorization  should  be  allowed. 

Finally,  some  of  the  patiait  advocacy  groups  recommended  that  the  rule  extend  heightened 
protection  for  anoth^  category  of  health  data.  For  example,  the  Bazelon  Center  for  Mental 
Health  Law  took  the  position  that  "the  rule  should  create  a  special  category  of  highly  sensitive 
medical  information  provided  higher  levels  of  privacy  protection,  e.g.  HTV  status  and  mental 
illness."  However,  other  stakeholders  said  there  should  be  no  special  treatment  for  different 
illnesses  or  categories  of  health  information.  For  example,  the  AmCTican  Health  Information 
Management  Association  believed  that  such  segregation  *^iltimately  would  be  more  dangerous 
than  beneficial." 

SOME  MODIHCATIONS  MAY  REQUIRE  ACTION  BY  THE  CONGRESS 

In  its  preamble  to  the  rule,  HHS  explicitly  noted  that  HIPAA  set  limits  on  its  authority  to  apply 
privacy  protections  comprehensively  and  uniformly.  Many  commenters  cited  a  need  for  the 
Congress  to  net  if  personal  health  information  is  to  be  subject  to  the  same  standards  regardless  of 
how  it  is  stored  (exempting  purely  paper  records)  or  where  the  individual  resides  (excepting 
more  stringent  state  laws).  Still,  stakeholders  often  disagreed  on  the  steps  the  Congress  should 
take  to  make  the  proposed  regulation  optimal  or  workable. 

The  most  fi-equent  suggestion  was  that  the  Congress  enact  a  uniform  federal  medical  records 
privacy  law  that  would  preempt  all  state  laws.  Three  employers  and  three  health  plans  stressed 
the  need  to  eliminate  any  variation  in  standards,  but  no  patient  rights  groups  or  government 
stakdiolders  offered  this  suggestion.  One  clearinghouse  said  that  it  strongly  believes  that 
"federal  health  information  staiKlards  must  preonpt  the  patchwork  of  inconsistent  State 
requirements  if  they  are  to  provide  real  assurances  of  privacy  to  individuals  at  a  time  when  health 
care  is  increasingly  an  inter-State  enterprise." 

Many  stakeholders  also  called  for  legislative  modification  to  the  "appHcabiUty"  section  of  the 
regulation.  Some  proposed  that  the  Congress  extend  HHS'  authority  to  cover  all  identifiable 
health  information,  regardless  of  whether  it  had  ever  been  electronically  stored  or  transmitted, 
even  though  HHS  declared  in  tiie  proposed  rule  that  under  current  law  it  could  have  chosen  to  do 
so.  A  substantially  larger  group  of  conunenters  bom  across  the  spectrum  of  stakeholder 
categories  advocated  legislative  changes  to  extend  coverage  under  the  rule  to  all  types  of  entities 
that  use  or  disclose  identifiable  health  information.  Perhaps  anticipating  this  argument,  the 
American  Hospital  Association  wrote  that  "the  reason  Congress  limited  the  applicabihty  of  the 
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Secretary's  regulations  to  these  [nine]  transactions  is  that:  (1)  the  public  was  concerned  about 
inappropriate  disclosiires  between  payers  and  providers,  and  (2)  these  were  the  transactions  made 
more  administratively  efficient  by  HIPAA,  which  may  heighten  those  concerns. . . .  [The 
Secretary's]  broad  interpretation  of  statutory  intent  is  the  'Achilles  heel'  of  this  regulation." 

A  need  for  congressional  action  was  also  cited  in  comments  on  various  other  sections  of  the 
regulation,  primarily  tc  limit  secondary  uses  or  disclosures  of  identifiable  health  information.  A 
number  of  stakeholders  asked  for  comprehensive  privacy  legislation  to  cover  other  areas  as  well 
as  health.  Regarding  enforcement,  three  stakeholders  stated  that  the  Congress  should  estabUsh  a 
private  right  of  action  for  individuals  to  enforce  their  rights  under  the  privacy  rules.  A  patient 
advocacy  group  went  further  in  asking  for  the  Congress  to  recognize  a  patient's  ownership  of  his 
or  her  medical  records.  Some  stakeholders  explicitly  noted  that  only  legislation  could  enable  the 
Secretary  to  directly  regulate  noncovered  health  researchers. 

CQNCLVDINQ  OBSERVATIONS 

The  comments  that  we  reviewed  from  major  organizations — representing  many  of  the  entities 
that  will  have  to  implement  the  policies  adopted — reflected  two  overriding  themes.  The  first  is  a 
widespread  acknowledgement,  despite  the  organizations'  diverse  perspectives,  of  the  importance 
of  protecting  the  privacy  of  medical  records.  While  the  groups  may  vary  in  their  assessment  of 
the  best  way  to  achieve  that  goal,  none  challenged  its  fimdamental  value.  SecoiKl,  fimdamental 
differences  among  the  groups'  positions  reflect  the  conflicts  that  sometimes  arise  between 
privacy  and  other  objectives.  Different  groups  with  varying  constituencies  tended  to  emphasize 
different  competing  goals.  As  HHS  considers  the  comments  in  formulating  the  final  rule,  it  will 
have  to  make  its  own  judgments  regarding  both  the  relative  priority  to  give  to  other  objectives 
and  the  merit  of  differing  views  on  the  feasibility  of  alternative  approaches  for  protecting 
medical  privacy.  These  judgments  will  occur  within  the  context  of  what  the  law  currently 
permits  and  requires,  unless  the  Congress  decides  to  change  the  statutory  fiameworic  established 
by  HIPAA  and  related  federal  legislation. 


Mr.  Chairman  and  Members  of  the  Committee,  this  concludes  my  prepared  statement.  I  will  be 
iu^py  to  answer  any  questions  you  may  have. 

GAO  CONTACT  AND  ACKNOWLEDGMENTS 

For  future  contacts  regarding  this  testimony,  please  call  Janet  Heimich,  Associate  Director, 
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contributions  to  this  statement  include  Barry  Bedrick,  Robert  Crystal,  Rosamond  Katz,  Eric 
Peterson,  Daniel  Schwimer,  Victoria  Smith,  and  Craig  Winslow. 
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APPENDIX  APPENDIX 

SELECTED  STAKEHOLDERS  IN  THE  DEBATE 
R£G.\RDING  FEDER.\L  HE.ALTH  Pm-ACY  POLICY 

We  included  the  follovring  organizations'  comments  in  our  review: 

AfL-aO 

Amaican  Association  of  Health  Plans 

Amencan  .Association  of  Retired  Persons 

American  Civil  Liberties  Union 

American  Council  of  Life  Insurers 

American  HeaJth  Information  Management  Association 

Amencan  Hospital  Association 

Amencan  Medical  Associaljon 

American  NIedical  Informatics  Association 

Amencan  Psychiatric  Association 

Amencan  Ps>'chological  Association 

Association  of  Amencan  Medical  Colleges 

Association  of  Private  Pension  and  Welfare  Plans 

Bazelon  Center  for  Mental  Health  Law 

Biotechnology  Industry  Organization 

Blue  Cross  Blue  Shield  Association 

Gcncntech,  Inc. 

Georgetown  University  Health  FYivacy  Project 
Health  Insurance  Association  of  America 
Healthcare  Leadership  Council 
Healtheon/WebMD 
Intennountain  Health  Care 

Joint  Commission  on  Accreditation  of  Healtix:arc  Organizations 

Medical  Group  Management  Association 

Merck-Medco  Managed  Care,  L.L.C. 

National  Association  of  Attorneys  General 

National  Association  of  Insurance  Commissioaeis 

National  Breast  Cancer  Coalition 

National  Committee  for  Quahtj-  Assurance 

Natioiial  Committee  on  Vital  and  Health  Statistics 

National  Conference  of  State  Legislatures 

National  Governors'  Association 

National  Uniform  BUhng  Committee 

National  Uniform  Claim  Committee 

Pharmaceutical  Research  and  Manufacturers  of  America 

Qumtiles  Transnational 

U.S.  Department  of  Justice 

UnitedHealth  Group 

Washington  Business  Group  on  Health 

Workgroup  on  Electronic  Data  Interchange 
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The  Chairman.  Thank  you  very  much. 

In  your  testimony,  you  noted  that  many  of  the  organizations  as- 
serted that  substantial  expense  would  be  incurred  in  reviewing 
State  laws  and  determining  whether  a  State  law  is  applicable  to 
a  given  situation.  Could  you  expand  on  this  point? 

Ms.  Heinrich.  Certainly  the  issue  of  preemption  was  one  of  the 
issues  that  many,  many  people  commented  on.  There  has  been  con- 
cern articulated  about  the  patchwork  of  State  laws  and  the  fact 
that  State  laws  seem  to  be  embedded  in  a  variety  of  codes  and 
laws,  making  it  very,  very  difficult  to  find  the  law  in  these  State 
statutes. 

Some  people  have  said,  therefore,  that  it  would  be  very  impor- 
tant to  have  a  Federal  rules  that  would  preempt  all  States;  others 
have  argued  that  in  fact  there  is  a  great  deal  of  protection  and  pri- 
vacy law  that  we  can  build  on.  And  in  fact,  entities  have  now  been 
working  with  these  50  different  States  laws.  This  is  an  opportunity 
to  actually  build  on  what  is  the  strongest  privacy  law. 

The  Chairman.  In  your  testimony,  you  noted  that  many  of  the 
organizations  suggested  that  covered  entities  be  exempted  from  the 
definition  of  '^business  partner"'  in  the  regulation.  Please  explain 
that  rationale. 

Ms.  Heinrich.  The  covered  groups  have  said  that  they  feel  it 
would  be  very  difficult  for  them  to  enforce  privacy  law.  They  are 
concerned  about  being  held  accountable  for  the  business  partners. 

Barry,  in  terms  of  the  arguments  from  the  business  partner  per- 
spective, do  you  have  anything  to  add? 

Mr.  Bedrick.  I  think  the  concern  that  we  encountered  in  some 
of  the  comments  was  that  the  same  entity  would  be  a  covered  en- 
tity and  would  also,  as  the  regulation  is  now  written,  be  required 
to  enter  into  these  business  partner  agreements  with  other  covered 
entities. 

Their  argument  is  that  as  covered  entities  they  are  subject  to  all 
the  requirements  of  the  regulation,  and  therefore,  it  would  be  su- 
perfluous to  require  an  additional  contract  with  someone  who  is  al- 
ready a  covered  entity. 

The  Chairman.  In  your  testimony  on  the  preemption  of  State 
laws,  did  you  find  many  groups  suggesting  that  the  Secretary  auto- 
matically issue  advisory  opinions  on  the  stringency  of  all  State 
laws  so  that  entities  would  know  early  on  to  wluch  law  they  must 
comply? 

Ms.  Heinrich.  There  were  in  fact  several  commentors  who  sug- 
gested that  if  in  fact  there  could  not  be  a  Federal  standard,  per- 
haps the  next  best  thing  would  be  to  have  the  Secretary  then  deter- 
mine ahead  of  time  which  laws  in  which  States  would  be  exempted. 
That  would  provide  an  approach  that  some  organizations  think 
would  be  workable  if  in  fact  they  couldn't  have  the  standard  rule. 

The  Chairman.  The  proposed  rules  allow  for  statutory  authoriza- 
tion to  use  protected  health  information  for  treatment,  payment, 
and  health  care  operations  but  do  not  allow  entities  to  request  a 
written  authorization  should  they  wish  to.  Could  you  explain  the 
rationale  for  this? 

Ms.  Heinrich.  Well,  certainly,  the  rationale  for  having  the  au- 
thorization for  the  treatment  for  payment  and  operations  was  be- 
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cause  this  would  be  in  effect  stronger  than  what  we  currently  have, 
which  is  oftentimes  a  blanket  authorization  by  individuals  for  re- 
lease of  their  information,  but  they  have  no  idea  what  it  is  being 
released  for  or  how  the  information  will  be  used. 

Barry,  I  am  going  to  turn  to  you  to  describe  the  rationale  that 
was  given  for  not  allowing  individual  providers  to  request  author- 
ization. 

Mr.  Bedrick.  I  think  Dr.  Heinrich  touched  on  it.  This  is  ad- 
dressed in  the  HHS  preamble  to  the  proposed  regulation,  and  es- 
sentially, as  she  has  said,  they  were  concerned  that  the  blanket  au- 
thorization had  not  been  an  effective  mechanism  for  protecting  the 
privacy  of  patients  and  that  if  they  could  use  this  alternative  meth- 
od, it  would  in  the  end  be  more  protective  of  privacy. 

The  Chairman.  Senator  Kennedy. 

Senator  Kennedy.  Thank  you  very  much. 

Dr.  Heinrich,  could  you  tell  us  in  layperson's  language  how  much 
protection  exists  out  there  in  people's  medical  records  today?  We 
hear  that  there  is  more  protection  for  your  Blockbuster  video  rental 
information  than  there  is  for  your  medical  records. 

After  having  studied  and  looked  into  this,  what  was  the  situation 
before  the  regulations,  and  how  easy  was  it  for  people  to  get  these 
records,  and  was  it  becoming  easier  to  get  them?  How  much  risk 
was  out  there?  How  important  is  this  issue  to  families?  I  think  peo- 
ple would  like  to  know. 

I  think  most  people  feel  that  when  they  go  to  a  doctor's  office 
there  is  some  privacy  protection,  and  I  think  it  is  important  if  we 
are  going  to  develop  support  for  legislation  that  we  be  able  to  show 
that  there  are  some  real  concerns  in  terms  of  privacy. 

Ms.  Heinrich.  I  started  out  asking  the  question  what  is  the  mag- 
nitude of  this  problem  myself,  and  I  think  the  general  public  some- 
how believes  that  the  old  rule  that  the  physician  or  the  hospital 
will  take  care  of  this  information,  that  they  do  not  have  to  worry, 
is  still  quite  prevalent.  But  the  fact  of  the  matter  is  we  have  a  lot 
of  anecdotal  information  that  says  that  it  is  very  easy  for  people 
without  the  best  interests  of  the  individual  patient  in  mind  to  have 
access  to  very  private  medical  information.  In  the  news  and  the 
media,  we  have  heard  of  some  terrible  consequences. 

The  confidentiality  issues  have  had  impact  in  terms  of  employ- 
ment and  in  terms  of  discrimination  and  also  for  insurance  pur- 
poses. 

Senator  KENNEDY.  Do  you  think  this  is  going  to  be  more  of  a 
problem  down  the  line?  With  the  new  availability  of  electronic  in- 
formation as  well  as  the  research  that  is  being  done  on  DNA  to  find 
people  who  may  have  a  greater  proclivity  for  diseases  like  cancer, 
is  there  a  greater  chance  that  medical  information  can  be  used  to 
adversely  impact  people? 

Is  this  becoming  more  of  a  problem  today,  do  you  think,  than  it 
was,  say,  10  years  ago? 

Ms.  Heinrich.  I  think  it  is  certainly  the  down  side  of  our  techno- 
logical innovation,  that  in  fact  the  individually  identifiable  informa- 
tion, be  it  genetic  information,  is  going  to  be  much  more  readily 
available  if  we  do  not  protect  the  information. 

Senator  Kennedy.  Let  me  ask  you,  as  was  mentioned  in  the  re- 
port, the  Kassebaum-Kennedy  legislation  has  explicit  authority  in 
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terms  of  dealing  with  electronic  records.  I  am  interested  in  the  non- 
electronic records.  According  to  the  comments  to  HHS,  what  advan- 
tage would  there  be  in  extending  privacy  coverage  to  paper 
records? 

Ms.  Heinrich.  In  the  comments  that  we  reviewed,  people  said  it 
is  an  artificial  distinction  in  many  instances  between  the  patient 
medical  record  that  is  oftentimes  a  private  record  and  what  is  elec- 
tronically transmissible. 

I  was  very  interested  in  what  is  the  information  that  is  related 
to  payment,  administrative  issues,  versus  the  clinical  information 
and  the  clinical  record.  It  is  oftentimes  the  clinical  information  that 
is  in  the  paper  record. 

Some  people  argued  that  just  in  terms  of  the  simplicity  of  imple- 
menting these  regulations,  it  would  be  much  better  to  simply  have 
a  system  for  all  information  that  is  applicable. 

Senator  Kennedy.  And  did  you  find  any  provision  in  the  legisla- 
tion that  would  prohibit  HHS  from  extending  the  privacy  protec- 
tions to  the  nonelectronic  records? 

Ms.  Heinrich.  I  am  going  to  ask  Barry  to  answer  that  question. 

Mr.  Bedrick.  It  is  true,  certainly,  that  the  administrative  sim- 
plification provisions  of  the  law  concentrate  on  electronic  trans- 
mission of  records,  but  I  think  it  is  equally  true  that  Congress 
wanted  a  privacy  protection  scheme  in  the  regulation  or  the  law 
that  would  work,  that  would  extend  to  all  embodiments  of  the  in- 
formation. 

HHS  says  in  the  preamble  to  the  regulation  that  they  have  au- 
thority to  regulate  the  information  in  its  paper  form,  and  that 
seems  a  reasonable  interpretation. 

Senator  Kennedy.  I  would  think  so.  Let  me  ask  you  in  the  com- 
ments you  reviewed,  did  any  of  the  stakeholders  express  concerns 
about  allowing  medical  information  to  used  without  patient  consent 
for  treatment,  payment,  and  health  care  operations? 

Ms.  Heinrich.  Yes.  There  were  several  people  who  took  excep- 
tion to  this.  Simply  stated,  an  individual  always  should  be  re- 
quested for  their  individual  private  information  without  fail.  There 
were  very  strong  views  articulated  on  that  very  issue. 

Senator  Kennedy.  What  was  the  reason  for  that?  Was  it  basi- 
cally just  the  privacy  reason? 

Ms.  Heinrich.  It  is  the  privacy  reason,  and  some  people  also  feel 
strongly  that  it  is  the  individual  patient  who  owns  their  informa- 
tion and  their  record. 

Barry,  do  you  have  anything  to  add? 

Mr.  Bedrick.  No,  no.  I  agree  with  that. 

Senator  Kennedy.  Let  me  just  ask  you  finally,  according  to  the 
comments  that  you  reviewed,  what  have  been  identified  as  the 
major  advantages  of  providing  HHS  with  the  legal  authority  to 
cover  all  organizations  that  handle  medical  information,  not  just 
the  three  types  of  businesses  covered  under  the  current  regula- 
tions? 

Ms.  Heinrich.  I  think  the  arguments  that  we  read  are  as  fol- 
lows—and I  am  sure  you  will  be  hearing  more  of  these  later 
today— essentially,  you  have  individually  identified  information 
that  is  used  by  a  variety  of  entities,  not  just  the  three  that  are  cov- 
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ered  specifically  in  the  legislation,  and  if  these  entities  are  in  fact 
using  this  information,  then  they  should  be  covered. 

A  good  example  is  organizations  that  deal  with  auto  insurance  or 
life  insurance.  They  oftentimes  are  dealing  with  individually  identi- 
fiable medical  information  but  would  not  be  covered. 

Senator  Kennedy.  Thank  you  very  much. 

Thank  you,  Mr.  Chairman.  I  might  have  some  additional  ques- 
tions; if  I  could  submit  those  in  writing,  I  would  appreciate  it. 
The  Chairman.  Yes,  fine. 

The  Chairman.  I  have  two  more  questions  for  you.  For  the  indi- 
vidual doctors*  offices  that  may  be  made  to  comply  with  the  regula- 
tions, did  the  comment  letters  reflect  a  concern  that  the  burden 
would  be  so  great  that  it  might  prevent  these  offices  from  moving 
toward  electronic  medical  records? 

Ms.  Heinrich.  I  do  not  recall  that  there  was  that  comment  per 
se.  There  were  some  concerns  about  the  costs  of  implementing  the 
regulation,  but  the  fact  that  the  regulations  allow  for  different  ap- 
proaches to  implementation  depending  on  the  size  of  the  organiza- 
tion was  really  meant  to  relieve  some  of  the  burden  that  would  be 
placed  on  smaller  organizations.  So  in  fact,  the  person  who  would 
be  the  officer  appointed  for  oversight  of  privacy  or  posting  of  the 
privacy  rules  could  be  fairly  straightforward. 

The  Chairman.  In  your  testimony,  you  noted  that  there  was 
widespread  opposition  to  the  requirement  that  business  partner 
contracts  include  a  provision  stating  that  the  individuals  were 
**third-party  beneficiaries  of  the  contract."  Could  you  expand  on 
that? 

Ms.  Heinrich.  I  think  that  in  this  instance,  the  Department  was 
trying  to  give  individuals  the  right  to  sue  if  in  fact  their  individual 
information  was  somehow  misused,  and  they  were  not  able  to  do 
this  for  the  covered  entities,  so  this  was  their  approach. 

Would  you  like  to  say  anj^hing  more  about  that? 

Mr.  Bedrick.  I  agree  essentially  that  the  concern  was  that  that 
clause  in  the  business  partner  contracts  would  in  fact  create  a  right 
of  the  person  whose  information  was  improperly  disclosed  to  sue 
for  some  kind  of  relief  There  is  unfortunately  no  explanation  of 
that  provision  in  the  HHS  preamble  to  the  regulation,  so  it  is  dif- 
ficult to  know  what  was  behind  it,  but  that  would  seem  to  be  the 
logical  explanation. 

The  Chairman.  Thank  you  both. 

Senator  Kennedy.  May  I  ask  one  additional  question? 

The  Chairman.  Certainly.  Senator  Kennedy. 

Senator  Kennedy.  Did  you  review  what  is  happening  in  the 
States  in  regard  to  this  issue?  We  have  a  pretty  good  bill  in  my 
own  State  of  Massachusetts,  and  we  have  another  one  that  will 
provide  additional  kinds  of  protections,  and  we  have  a  lot  of  the 
same  kinds  of  elements  in  our  State — a  big  research  community, 
teaching  hospitals,  many  active  consumer  groups — as  those  that 
are  generally  in  play  in  terms  of  the  national  legislation.  I  was 
wondering  if — and  you  were  not  charged  with  it,  so  if  you  did  not, 
I  can  understand,  and  I  can  ask  my  staff  to  do  the  work — ^but  if 
you  have  some  suggestions  as  to  how  we  could  look  at  some  of  the 
States  that  are  doing  a  good  job,  I  would  be  interested. 
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Ms.  Heinrich.  We  did  not  do  that  work,  but  I  know  that  you  are 
going  to  be  hearing  from  the  Georgetown  University  Health  Policy 
Project,  and  I  know  they  have. 

Senator  ICennedy.  OK,  good.  That  is  a  good  place  to  ask  that. 

Thank  you. 

Thank  you,  Mr.  Chairman. 

The  Chairman.  Thank  you  both  very  much.  You  have  been  very 
helpful,  and  I  am  sure  we  will  be  back  in  touch  with  you. 
Ms.  Heinrich.  Yes.  Thank  you. 

The  Chairman.  Our  second  panel  consists  of  equally  distin- 
guished expert  witnesses. 

First,  I  am  pleased  to  introduce  Mr.  John  P.  Houston.  Mr.  Hous- 
ton is  Director  of  Production  Services,  Data  Security  Officer,  and 
Assistant  Counsel  at  The  UPMC  Health  System  in  Pittsburgh,  PA. 
He  manages  the  data  center  operations,  systems  support,  and  data 
security  groups.  In  addition,  he  sets  Health  System-wide  informa- 
tion system  security  standards  and  policies.  In  the  capacity  of  as- 
sistant counsel,  Mr.  Houston  develops,  negotiates,  and  reviews 
agreements  related  to  the  acquisition,  sale,  and  use  of  technology 
and  services. 

Mr.  Houston,  thank  you  for  being  with  us  today. 

I  would  also  like  to  introduce  Ms.  Kathy  Farmer,  Manager  of 
U.S.  Compensation  and  Benefits  for  Hewlett  Packard,  Palo  Alto, 
CA.  As  such,  she  is  in  charge  of  the  design  and  delivery  of  com- 
pensation and  benefits  services  within  U.S.  Human  Resources  orga- 
nizations. Previously,  she  was  a  vice  president  in  the  Human  Re- 
sources Division  of  Wells  Fargo  Bank,  N.A.,  where  she  redesigned 
the  total  benefits  program  following  two  mergers.  Ms.  Farmer  man- 
aged benefit  programs  with  an  emphasis  on  quality,  cost,  integra- 
tion, and  productivity.  At  present,  Ms.  Farmer  is  a  member  of  the 
board  of  directors  of  the  Integrated  Benefits  Institute;  she  has  also 
been  active  in  the  Pacific  Business  Group  on  Health,  Human  Re- 
source Education  and  Training  Committee,  and  served  as  president 
of  the  board  of  a  rural  community  health  clinic.  We  are  pleased  to 
have  you  with  us  today,  Ms.  Farmer. 

Also  with  us  on  this  panel  is  Dr.  Greg  Koski,  who  is  Director  of 
Human  Research  Affairs,  Partners  HealthCare  system.  Incor- 
porated, and  an  associate  professor  of  anesthesia  and  critical  care 
medicine  at  Massachusetts  General  Hospital.  After  receiving  his 
education  at  Harvard,  Dr.  Koski  completed  his  residency  and  fel- 
lowship training  at  the  National  Institutes  of  Health  as  a  phar- 
macology research  associate  before  returning  to  join  the  depart- 
ment of  anesthesia  in  1984.  During  his  30  years  at  Harvard,  Dr. 
Koski  has  actively  participated  in  every  aspect  of  academic  medi- 
cine including  basic  research,  cUnicai  investigation,  teaching,  ad- 
ministration, and  patient  care.  As  Director  of  Human  Research  Af- 
fairs, Dr.  Koski  is  responsible  for  the  ethical  and  regulatory  over- 
sight of  human  investigation,  including  the  protection  of  human 
participants  in  research  studies.  Welcome  to  you  also.  Dr.  Koski. 

Mr.  Houston,  please  proceed. 
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STATEMENTS  OF  JOHN  P.  HOUSTON,  DIRECTOR,  INFORMA- 
TION SERVICES  DIVISION,  UPMC  HEALTH  SYSTEM,  PITTS- 
BURGH, PA,  ON  BEHALF  OF  AMERICAN  HOSPITAL  ASSOCIA- 
TION; KATHY  FARMER,  MANAGER  OF  U.S.  COMPENSATION 
AND  BENEFITS,  HEWLETT  PACKARD,  PALO  ALTO,  CAL,  ON 
BEHALF  OF  WASHINGTON  BUSINESS  GROUP  ON  HEALTH; 
AND  DR,  E.  GREG  KOSKI,  ASSOCIATE  PROFESSOR  OF  ANES- 
THESIA AND  CRITICAL  CARE  MEDICINE,  MASSACHUSETTS 
GENERAL  HOSPITAL,  BOSTON,  MA. 

Mr.  Houston.  Thank  you,  Mr.  Chairman. 

I  am  John  Houston,  Director  of  Information  Services,  Data  Secu- 
rity Officer,  and  Assistant  Counsel  for  the  UPMC  Health  System. 
UPMC  is  comprised  of  14  owned  and  10  affiliated  hospitals,  10 
long-term  care  facilities,  300  physician  practices  and  other  health- 
related  services.  UPMC  employs  more  than  25,000  people  and 
serves  29  Western  Pennsylvania  counties. 

I  am  pleased  to  testify  today  on  behalf  of  the  American  Hospital 
Association's  nearly  5,000  hospitals,  health  systems,  networks,  and 
other  members. 

American  hospitals  and  health  systems  have  long  been  cham- 
pions of  patient  confidentiality.  Every  day,  the  thousands  of  Ameri- 
cans who  walk  through  our  doors  provide  caregivers  information  of 
the  most  intimate  nature;  they  do  so  trusting  that  we  will  keep  it 
confidential,  and  we  do. 

However,  caregivers  must  be  able  to  obtain  and  share  medical 
histories,  test  results,  and  other  information  so  that  patients  re- 
ceive the  best  care  possible.  If  providers  and  researchers  are  like- 
wise unable  to  obtain  and  reasonably  use  such  information,  other 
important  initiatives  related  to  reducing  medical  error  rates  and 
controlUng  the  costs  of  health  care  could  be  frustrated. 

We  have  an  umber  of  concerns  about  HHS'  proposed  rule  on  the 
confidentiality  of  patient  information.  I  will  focus  today  on  two  very 
key  points. 

My  first  point  is  the  rule's  overly  broad  scope.  By  including  the 
requirements  for  privacy  standards  in  HIPAA,  Congress  was  re- 
sponding to  concerns  about  threats  to  privacy  resulting  from  the 
electronic  transfer  of  identifiable  patient  information  among  provid- 
ers, payers,  and  others. 

Therefore,  the  Secretary's  authority  relates  specifically  to  the 
standardized  transaction  that  HIPAA's  administrative  simplifica- 
tion provisions  were  designed  to  facilitate. 

However,  the  proposed  rule  addresses  the  privacy  of  all  individ- 
ually identifiable  health  information.  Attempting  to  establish 
standards  for  every  use  and  disclosure  of  personal  health  informa- 
tion requires  HHS  to  anticipate  every  use  and  disclosure  and  deter- 
mine whether  each  is  appropriate.  This  is  impossible  and  beyond 
HHS'  scope  of  authority. 

We  recommend  that  the  rule  be  rewritten  so  that  it  applies  pri- 
vacy standards  to  the  individually  identifiable  information  used 
with  the  transactions  outlined  in  the  statute.  Then  the  regulation 
should  be  reissued  as  a  new  proposed  rule.  Because  the  broad  scope 
of  the  rule  is  so  overarching  and  inclusive,  limiting  the  scope  of  the 
transaction  specifically  mentioned  in  the  law  would  relieve  or  at 
least  ease  many  of  the  additional  concerns  about  the  rule. 
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To  my  second  point — cost.  The  proposed  rule  will  require  hos- 
pitals to  develop  and  rewrite  policies,  hire  staff,  retrain  staff,  re- 
negotiate contracts,  modify  existing  irJbrmation  systems,  and  im- 
plement new  information  systems  to  track  all  uses  and  disclosures 
of  information.  Such  changes  are  enormously  costly  and  conflict 
with  HIPAA's  cost  reduction  goals.  For  a  large,  geographically  dis- 
persed, integrated  delivery  system  like  UPMC,  the  cost  of  compli- 
ance will  be  daunting.  Patient  information  is  typically  stored  in  a 
variety  of  mediums  at  many  locations.  Without  enterprise-wide 
electronic  health  information  systems,  the  tracking  and  coordina- 
tion of  patient  medical  information  for  the  purpose  of  compliance 
will  be  difficult. 

While  UPMC  is  establishing  such  systems,  most  providers  do  not 
have  this  capability  nor  the  funds  to  achieve  it  within  the  time 
frames  necessary.  HHS  itself  estimates  that  the  regulation  will 
have  a  5-year  cost  of  at  least  $3.8  billion.  However,  that  estimate 
excludes  nine  of  the  regulation's  major  requirements. 

The  Nation's  hospitals  spent  more  than  $8  billion  on  Y2K  compli- 
ance. The  HHS  requirements  would  require  longer  conmiitments 
and  more  change,  and  therefore,  it  will  surpass  even  the  total  for 
Y2K.  Making  matters  worse,  these  costs  will  come  as  hospitals  are 
implementing  HIPAA's  administrative  transaction  and  security 
standards,  which  will  require  significant  investments  over  the  next 
few  years.  At  the  same  time,  hospitals  will  continue  to  be  battered 
by  the  Balanced  Budget  Act's  Medicare  and  Medicaid  spending  re- 
ductions. 

By  limiting  the  scope  of  the  regulations  to  the  transactions  de- 
fined in  HIPAA,  the  Secretary  can  considerably  reduce  the  regula- 
tion's cost.  HHS  should  perform  a  detailed  impact  analysis  before 
the  rule  takes  effect,  and  hospitals  should  be  given  3  years  to  com- 
ply rather  than  the  2  years  allowed  in  the  regulation.  It  will  take 

1  year  to  assess  exactly  what  hospitals  need  to  do  to  comply  and 

2  years  to  actually  get  the  job  done. 

Let  me  close,  Mr.  Chairman,  by  urging  Congress  to  act  now  on 
the  overly  broad  scope  of  the  proposed  rule.  Between  now  and  the 
issuance  of  the  final  rule.  Congress  should  adopt  legislation  making 
clear  that  you  intend  a  narrow,  specific  interpretation  of  HIPAA 
and  not  the  more  expansive  interpretation  by  HHS.  That  way,  the 
Department  will  have  clear  guidance  as  Congress  prepares  the 
final  rule. 

Thank  you. 

The  Chairman.  Thank  you. 

[The  prepared  statement  of  Mr.  Houston  follows:] 
Prepared  Statement  of  John  Houston 

Mr.  Chairman,  I  am  John  Houston,  Director  of  Production  Services,  Data  Seciirity 
Officer,  and  Assistant  Counsel  for  the  UPMC  Health  System  (UPMC).  I  am  pleased 
to  testify  today  on  behalf  of  the  American  Hospital  Association's  (AHA)  membership 
of  nearly  5,000  hospitals,  health  systems,  networks  and  other  providers  of  care. 
^  UPMC,  which  is  afBhated  with  the  University  of  Pittsburgh  Schools  of  the  Health 
Sciences,  is  a  leading  integrated  health  care  delivery  system  that  employs  more 
than  25,000  people  and  serves  29  western  Pennsylvania  counties.  UPIJC  is  com- 
prised of  14  owned  and  10  affiliated  hospitals,  as  well  as  a  managed  care  insurance 
company.  UPMC  also  operates  over  two  dozen  same-day  surgery  centers,  moid  than 
300  physicians'  offices,  10  long-term  care  and  independent-living  facihties,  in-home 


0 


37 

services,  a  mail-order  pharmacy,  a  regional  reference  laboratory,  rehabilitation  and 
occupational  medicine  services,  and  international  health  care  initiatives. 

We  appreciate  this  opportunity  to  present  our  views  on  a  critical  issue  for  health 
care  providers  and  the  people  we  serve:  the  confidentiality  of  protected  health  infor- 
mation. 

PROTECTING  PATIENTS'  TRUST 

Every  day,  thousands  of  Americans  walk  through  the  doors  of  America's  hospitals. 
Each  and  every  one  of  them  provides  caregivers  information  of  the  most  intimate 
nature.  They  provide  this  information  under  the  assumption  that  it  will  remain  con- 
fidential. In  fact,  the  Hippocratic  oath  requires  caregivers  to  do  just  that.  It  is  criti- 
cal that  this  trust  be  maintained.  Otherwise,  patients  may  be  less  forthcoming  with 
information  about  their  conditions  and  needs — information  that  is  essential  for  phy- 
sicians and  other  caregivers  to  know  in  order  to  keep  people  well,  ease  pain,  and 
treat  and  cure  illness. 

If  caregivers  are  not  able  to  obtain  and  share  patients'  medical  histories,  test  re- 
sults, physician  obser%'ations,  and  other  important  information,  patients  will  not  re- 
ceive the  most  appropriate,  timely,  high-quality  care  possible.  If  health  care  provid- 
ers and  researchers  are  likewise  unable  to  reasonably  obtain  or  use  such  informa- 
tion, other  important  initiatives  related  to  reducing  medical  error  rates  and  the  cost 
of  health  care  could  be  frustrated. 

Confidentiality  of  health  information  is  an  issue  that  affects  all  of  us  personally. 
We  Uve  in  a  time  of  rapidly  advancing  technological  improvement,  when  the  world 
seems  to  get  smaller  as  computers  get  more  powerful  and  databases  get  bigger.  This 
technological  change  can  be  positive — it  has  led  to  significant  improvements  for  both 
health  care  providers  and  their  patients — but  it  worries  people  who  are  justifiably 
concerned  about  how  information  about  them  will  be  used. 

Indeed,  hospitals  have  been  the  champions  of  patient  privacy.  The  AHA's  'Ta- 
tienfs  Bill  of  Rights,"  which  was  first  approved  by  the  AHA  Board  of  Trustees  in 
1973  and  revised  in  1992,  is  used  by  many  hospitals  to  notify  patients  of  their 
rights.  That  document  provides,  in  part,  that: 

The  patient  has  the  right  to  every  consideration  of  privacy.  Case  discussion,  con- 
sultation, examination,  and  treatment  should  be  conducted  so  as  to  protect  each  pa- 
tient's privacy. 

The  patient  has  the  right  to  expect  that  all  communications  and  records  pertain- 
ing to  nis^er  care  will  be  treated  as  confidential  by  the  hospital,  except  in  cases 
such  as  suspected  abuse  and  pubUc  health  hazards  when  reporting  is  permitted  or 
required  by  law.  The  patient  has  the  right  to  e^ect  that  the  hospital  will  emphasize 
the  confidentiahty  of  this  information  when  it  is  released  to  any  other  parties  enti- 
tled to  review  the  information. 

The  patient  has  the  right  to  review  the  records  pertaining  to  his/her  medical  care 
and  to  have  the  information  explained  or  interpreted  as  necessary,  expect  when  re- 
stricted by  law. 

Caregivers  take  the  protection  of  these  rights  seriously 

CONFIDENTIAIJTY  REGULATIONS  PROPOSED  BY  HHS 

By  including  the  requirement  for  privacy  standards  in  the  Health  Insurance  Port- 
abihty  and  Accountabihty  Act  of  1996  (HIPAA),  Congress  was  attempting  to  respond 
to  veiT  real  concerns  about  potential  threats  to  privacy  resulting  fi*om  the  increased 
use  of  electronic  transfer  of  identifiable  patient  information.  The  Secretary  of  the 
Department  of  Health  and  Human  Services  (HHS)  recently  proposed  "Standards  for 
Privacy  of  Individually  Identifiable  Health  Information"  to  adoress  those  concerns. 
While  the  Secretary  attempted  to  balance  patients'  confidentiality  rights  with  care- 
givers' need  for  access  to  health  information,  we  are  gravelv  concerned  that  the  Sec- 
retary exceeded  her  authority  in  promulgating  the  proposed  nde. 

Additionally,  many  of  the  HHS  proposed  privacy  standards  impose  significant 
burdens  on  health  care  providers,  while  not  giving  any  additional  real  protections 
to  the  patient. 

The  proposed  rule's  scope 

By  including  the  requirement  for  privacy  standards  in  HIPAA,  Congress  was  at- 
tempting to  respond  to  very  real  concerns  about  potential  threats  to  privacy  result- 
ing fi^m  the  electronic  transfer  of  identifiable  patient  information  among  providers, 
payers  and  clearinghouses.  Hence,  the  Secretary's  authority  relates  specifically  to 
the  privacy  of  individually  identifiable  heath  information  transmitted  in  connection 
with  the  standardized  transactions  tiiat  HIPAA's  administrative  simplification  pro- 
visions were  designed  to  faciUtate  (general  eligibility,  claims  and  payment).  How- 
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ever,  the  Secretary  proposes  to  apply  the  rule  well  beyond  the  transactions  Congress 
\  specified  in  law. 

In  addition  to  applying  the  standards  beyond  the  transactions  specified,  the  pro- 
posed rule  also  goes  beyond  the  concept  of  "transactions"  to  include  all  uses  and  dis- 
closures of  individually  identifiable  information.  It  includes  interactions  between 
practitioners,  disclosures  to  a  hospital  directory,  next  of  kin,  emergency  purposes, 
researchers,  oversight  officials,  coroners  and  any  other  use  HHS  could  anticipate. 

The  rule  attempts  to  address  the  privacy  of  all  individually  identifiable  health  in- 
formation, rather  than  the  information  transmitted  electronically  among  providers 
and  payers  in  certain  transactions  as  described  in  HIPAA.  This  is  not  only  beyond 
the  scope  of  the  HIPAA  mandate,  but  also  requires  the  Secretary  to  reach  deep  into 
the  organization  and  delivery  of  health  care  provided  by  miUions  of  caregivers  in 
thousands  of  settings.  Attempting  to  estabUsh  standards  for  every  single  use  and 
disclosure  of  personal  health  information  requires  HHS  to  anticipate  every  single 
use  and  disclosure  and  determine  whether  each  is  appropriate,  and  then  decide 
what  restrictions,  if  any,  must  be  placed  on  each  such  use  or  disclosure. 

It  is  impossible  for  HHS  to  anticipate  every  need  for  information.  However  in- 
tended, if  a  provider  needs  information  for  a  use  not  anticipated  in  this  proposed 
rule,  he  or  sne  may  be  prohibited  fi-om  using  that  information  for  that  function,  or 
may  have  to  scale  significant  hurdles  to  get  it. 

The  AHA  does  not  understand  why  HHS  believes  it  covdd  go  beyond  the  clearly 
stated  authority  of  HIPAA.  The  only  discussion  related  to  the  scope  of  authority  re- 
lates to  whether  certain  paper  records  are  subject  to  regulation.  HHS  defends  the 
expansion  of  its  jurisdiction  to  paper  records  and  indicates  its  belief,  unsupported 
by  analysis,  that  the  privacy  regulations  are  not  limited  in  their  application  to  the 
financim  and  administrative  transactions  specified  by  HIPAA. 

AHA's  recommendation:  Rewrite  the  rule  so  that  it  applies  privacy  standards  to 
the  individually  identifiable  information  used  with  the  transactions  outlined  in  the 
statute,  and  re-issue  the  rewritten  regulation  as  a  new  proposed  rule.  Because  the 
broad  scope  of  the  proposed  rule  is  so  overarching  and  inclusive,  limiting  that  scope 
to  those  transactions  specifically  mentioned  by  in  the  law  would  in  turn  reUeve,  or 
at  least  ease,  many  of  our  additional  concerns  about  the  rule. 

Preemption  of  state  law 

Hospitals  and  health  systems  consider  themselves  guardians  of  our  patients'  indi- 
vidually identifiable  health  information,  or  protectc^d  health  information.  That  is 
why  AHA  has  long  supported  the  passage  of  strong  federal  legislation  to  establish 
uniform  national  standards  for  all  who  use  this  information. 

The  proposed  rule  carves  out  certain  state  laws  from  federal  preemption,  and 
state  laws  that  are  contrary  and  more  stringent  are  allowed  to  stand.  However,  no 
analysis  is  provided  to  help  the  entities  covered  by  the  rule  determine  how  their 
state  laws  would  match  up  with  these  long  and  complex  federal  requirements,  and 
no  process  is  outlined  for  them  to  seek  such  guidance.  The  sole  process  for  obtaining 
guidance  specifically  allows  only  states  to  ask  for  guidance  on  when  a  state  law 
would  be  considered  contrary  and  more  stringent. 

This  leaves  providers  in  an  untenable  position:  they  will  not  know  which  state 
laws  HHS  considers  to  be  contrary  and  more  stringent;  hence  they  cannot  determine 
which  rules  apply.  But  they  also  cannot  ask  the  department  to  clarify. 

One  of  our  primary  reasons  for  supporting  federal  confidentiality  legislation  is 
that  health  care  is  deUvered  across  state  boundaries.  National  uniform  rules  are 
needed  to  establish  a  strong  uniform  privacy  protection  across  the  country.  Match- 
ing up  many  different  state  rules  is  increasingly  difficult,  and  will  lead  to  confusion 
as  to  what  rules  apply. 

Providers,  under  the  proposed  rule,  would  have  to  comply  not  only  with  a  patch- 
work of  state  requirements,  but  also  imderstand  how  the  federal  rules  overlay  state 
requirements. 

Hospitals  and  health  systems  would  have  to  perform  a  five-part  test  to  determine 
which  rules  apply.  They  will  have  to  determine  which  state  laws:  are  carved  out 
from  the  preemption;  are  privacy  laws;  are  related  to  the  individual  provisions  in 
the  federal  regulation;  are  contrary  to  the  federal  regulation;  and  are  more  stringent 
than  the  federal  regulation.  No  health  care  provider  should  be  forced  to  conduct 
such  sophisticated  analysis  simply  to  determine  which  rules  to  follow. 

AHA's  recommendation:  EstabUsh  a  process  in  which  HHS  performs  an  initial 
state-by-state  analysis  to  provide  guidance  on  which  state  laws  apply,  to  be  released 
within  one  year  of  the  final  rule's  pubUcation.  The  final  regulation  should  not  be 
in  effect  until  this  analysis  is  complete.  Allow  individual  providers  to  seek  advisory 
opinions  in  certain  circumstances,  or  at  least  establish  a  formal  process  for  ques- 
tions. And,  the  Secretary  should  work  with  providers  to  create  implementation 
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guidelines,  to  be  modeled  after  the  interpretive  guidelines  that  the  Health  Care  Fi- 
nancing Administration  (HCFA)  creates  for  siirveyors  on  conditions  of  participation 
for  Medicare  and  Medicaid  contractors. 

The  regulation's  cost 

The  HHS  proposed  rule  requires  significant  changes  to  current  systems,  mandates 
new  ones,  and  creates  barriers  to  some  current  information  needs.  Because  hospitals 
already  have  in  place  many  safeguards  to  protect  patient  information,  the  proposed 
requirements  are  also  often  redundant.  Still,  the  prescriptive  nature  of  the  require- 
ments will  require  hospitals  to  develop  and/or  rewrite  policies,  hire  additional  staff, 
retrain  staff,  renegotiate  contracts,  and  modify  existing  information  systems  and  im- 
plement new  information  systems  to  track  all  uses  and  disclosures  of  information. 
Such  changes  are  enormously  costly  and  conflict  with  the  explicit  cost-reduction 
goals  of  HIPAA. 

For  a  large  and  geographically  dispersed  integrated  health  care  delivery  system 
like  UPMC,  the  effort  and  cost  of  compUance  will  be  disproportionate  in  comparison 
to  smaller  stand-alone  facilities.  This  is  because  patient  medical  information  is  typi- 
cally stored  in  a  variety  of  mediums  and  at  many  locations.  In  the  absence  of  an 
enterprise-wide  electronic  health  information  environment,  the  tracking  and  coordi- 
nation of  patient  medical  information  for  the  purpose  of  compUance  win  be  difficult. 
While  UPMC  is  implementing  such  a  state-of-the-art  health  information  environ- 
ment, it  is  a  time-consuming  and  extremely  costlv  undertaking.  Most  health  care 
providers  simply  do  not  have  this  capability  today,  nor  the  funds  necessary  to 
achieve  it. 

HHS  itself  estimated  the  regulation  to  have  a  five-year  cost  of  "at  least"  $3.8  bil- 
Uon.  However,  that  estimate  excludes  nine  of  the  regulation's  major  requirements 
for  which  cost  estimates  were  not  available:  determining  minimimi  necessary  disclo- 
sure; monitoring  business  partners  with  whom  information  is  shared;  creation  of  de- 
identified  information;  internal  complaint  processes;  sanctions;  compliance  and  en- 
forcement; the  designation  of  a  privacy  official  and  creation  of  a  privacy  board;  the 
creation  of  a  staff  to  review  patients'  requests  for  changes  to  the  medical  record;  ad- 
ditional requirements  on  research;  and  optional  disclosures. 

In  addition,  HHS'  estimate  primarily  reflects  one-time  costs,  while  the  new  sys- 
tems required  for  compliance  will  demand  ejcpensive  maintenance  and  updating. 

The  nation's  hospitals  spent  an  estimated  $8.2  biUion  to  ensure  that  their  systems 
and  equipment  would  not  be  affected  by  the  so-called  'T2K  bug."  The  HHS  require- 
ments would  require  longer-term  commitments  and  more  change  than  Y2K  compli- 
ance did.  Therefore,  the  cost  of  implementing  the  recommendations  appears  to  be 
significantly  higher  than  Y2K  compliance. 

And  these  additional  costs  of  ensuring  privacy  will  come  as  hospitals  must  also 
implement  HIPAA's  administrative  transaction  and  security  standards,  which  will 
require  significant  investment  over  the  next  few  years. 

AHA  recommendation:  The  Secretary  should  carefully  consider  the  cost  impact  of 
requiring  so  many  new  systems  and  of  reaching  so  deeply  into  the  delivery  of  care. 
HHS  should  limit  the  scope  of  the  privacy  regiilation  to  the  transactions  defined  in 
HIPAA,  and  perform  a  detailed  impact  analysis  before  the  regulation  takes  effect. 
Also,  hospitals  should  be  given  three  years  to  come  into  compuance.  Our  members 
believe  it  will  take  a  year  to  assess  what  they  need  to  do  to  comply,  and  two  years 
to  alter  information  systems,  establish  additional  poUcies  and  procedures,  change 
notices  and  authorizations,  rewrite  multitudes  of  contracts,  and  perform  initial 
training  for  all  employees  and  practitioners.  The  cost  impact  should  be  included  in 
the  final  rule. 

Identifiable  vs.  non-identifiable  information 

The  proposed  rule  assumes  that  information  is  not  identifiable  only  if  all  of  the 
19  identifiers  noted  by  the  rule  are  stripped  from  the  patient's  record  and  there  is 
no  reason  to  believe  that  the  recipient  could  use  the  information,  combined  with  the 
patient's  health  information,  to  identify  the  patient. 

Thus,  almost  every  piece  of  information  is  considered  by  the  regulation  to  be  iden- 
tifiable, even  if  the  only  identifiers  are  those  such  as  age,  condition,  and  zip  code. 
To  make  information  non-identifiable,  the  regulation  would  force  too  much  informa- 
tion to  be  stripped,  with  the  result  that  the  mformation  is  of  little  or  no  use  for  any 
purpose. 

For  example,  the  HHS  regulation  does  not  anticipate  the  disclosure  of  personal 
health  information  to  state  data  organizations  that  use  it  for  health  data  analysis. 
About  30  state  hospital  associations  and  their  afBUates  or  subsidiaries  receive  this 
information  from  hospitals  on  a  routine  basis.  In  addition  to  contracting  with  indi- 
vidual hospitals  for  q\iality  assiirance  analysis,  state  associations  also  aggregate 


data  across  hospitals  to  assist  them  in  other  types  of  planning.  Moreover,  they  often 
share  such  data  with  other  external  organizations  for  analysis  that  is  vital  to  fur- 
ther the  national  interest  in  efficient  and  effective  health  care  dehvery. 

The  HHS  proposed  rule  seems  to  anticipate  and  support  the  functions  these  orga- 
nizations perform  in  the  section  allowing  release  of  information  for  these  purposes 
to  government  health  data  organizations.  However,  private  health  data  organiza- 
tions are  not  explicitly  recognized.  Changes  must  be  made  to  the  proposal  to  ensure 
the  explicit  recognition  of  the  vaUdity  of  private  health  data  organizations.  Their  im- 
portant repository  functions  should  not  be  outlawed  by  the  regulation. 

The  primary  uses  of  this  information  beyond  those  anticipated  by  the  regulation, 
£ire:  market  share  analysis;  determining  physician  utilization  of  local  hospital  re- 
sources; comparing  hospital  charges;  utilization  analysis;  analyzing  health  care 
costs;  determining  whether  a  community  requires  a  new  service;  and  gauging  qual- 
ity of  care. 

A  patient's  name  and  address  are  not  included  in  this  information.  However,  pa- 
tient information  including  demographics  (zip  code,  date  of  birth,  and  county  are  of 
particular  use),  and  clinical  information  such  as  diagnosis  and  procedure  codes  are 
collected  on  each  discharge. 

HHS  needs  to  either  clarify  that  the  information  private  state  data  organizations 
use  would  be  considered  de-identified,  and  therefore  beyond  the  scope  of  the  regula- 
tion, or  that  the  functions  they  perform  are  explicitly  allowed. 

AHA  recommendation:  To  be  useful  in  data  analysis,  certain  identifiers  are  criti- 
cal. For  example,  a  person's  age  and  zip  code  are  used  to  help  aggregate  data.  In- 
stead of  a  diagnosis  or  procedure  being  traced  to  an  individual,  the  data  become  the 
numbers  of  procedures  performed  in  a  certain  geographical  area.  This  kind  of  infor- 
mation, for  example,  is  available  in  the  AHA-pubUshed  Dartmouth  Atlas  of  Health 
Care  in  America.  Therefore,  the  proposed  rule  should  include  language  that  recog- 
nizes a  more  reasonable  standard  for  defining  information  that  is  not  individually 
identifiable.  The  current  standard  in  the  rule  requires  that  there  be  "no  reason  to 
believe"  the  information  is  identifiable.  The  new  standard  should  be  that  there  is 
"no  reasonable  basis"  to  believe  the  information  would  be  used  to  identify  a  patient. 

The  "minimum  necessary"  standard 

The  proposed  regulation's  "minimum  necessary"  standard  basically  requires  that 
a  caregiver  or  other  entity  covered  by  the  rule  not  use  or  disclose  "more  than  the 
minimiun  amount  of  personal  health  information  necessary  to  accompUsh  the  in- 
tended purpose  of  the  use  or  disclosure." 

This  is  completely  at  odds  with  good  medical  practice,  and  is  potentially  very  dan- 
gerous. Caregivers  need  a  full  and  complete  picture  of  a  patient's  health  to  make 
a  diagnosis  and  develop  a  treatment  plan.  It  is  often  impossible  to  determine  in  ad- 
vance what  information  may  be  necessary  for  another  caregiver  who  may  be  seeing 
the  patient  for  another  reason.  For  example,  an  emergency  department  doctor  may 
request  the  entire  record  of  a  patient,  but  then  determine  that  only  a  small  portion 
was  needed.  Did  he  or  she  request  the  minimum  amount  of  information  necessary? 
What  may  appear  unnecessary  from  a  lab  technician's  perspective  may  be  vital  for 
a  physician's  overall  diagnosis. 

AHA  recommendation:  The  minimum  necessary  standard  should  not  apply  to  uses 
of  information  for  health  care  purposes.  However,  if  the  standard  remains,  revise 
it  to  say  that,  "In  estabUshing  safeguards,  the  covered  entity  must  take  into  consid- 
eration, based  on  the  type  or  category  of  request,  ways  to  ensiu-e  that  the  minimvmi 
amount  of  information  necessary  for  the  purpose  for  which  the  information  is  need- 
ed is  used  or  disclosed.  This  includes  methods  for  determining  the  type  or  types  of 
persons  who  may  have  access  to  the  information."  This  change  woiUd  ensure  that 
this  principle  was  widely  considered  in  designing  safeguards  without  making  it  im- 
possible or  clinically  dangerous  to  comply. 

Release  of  information  to  law  enforcement 

It  is  ironic  that  a  proposed  regulation  establishing  cumbersome  new  checks  and 
balances  on  the  use  of  information  for  the  purposes  for  which  the  information  was 
created — diagnosis,  treatment  and  clinical  management — ^makes  it  relatively  easy 
for  law  enforcement  authorities  to  obtain  the  information  for  purposes  unrelated  to 
the  purposes  for  which  it  was  created. 

Hospitals  often  find  themselves  in  the  middle  of  conflicts  between  law  enforce- 
ment officers  and  patients  over  the  use  of  personal  health  information.  Therefore, 
hospitals  have  well-established  rules  for  when  information  can  be  released.  But  the 
regulation  effectively  sets  up  a  de  facto  standard  for  when  it  is  appropriate  to  re- 
lease identifiable  information  to  law  enforcement  and  legal  counsel. 
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AHA  recommendations:  Based  on  hospitals'  extensive  experience  with  this  issue, 
we  recommend  that  HHS  change  the  rule  in  this  area.  Specifically,  simply  stating 
that  the  information  requested  concerns  a  litigant  and  that  the  Utigant's  health  con- 
dition is  at  stake  should  not  be  enough  to  force  release  of  information.  These  kinds 
of  evidentiary  rules  are  controlled  by  state  law  and  should  not  be  pre-empted.  The 
regulation  should  also  limit  the  further  use  of  information  after  it  is  released  to  law 
enforcement  and  legal  counsel.  And,  except  in  cases  of  urgent  circumstances,  such 
as  information  about  a  victim  of  a  crime  or  abuse,  a  neutral  third  party  should  be 
required  to  consider  the  advisability  of  release  of  information  using  the  criteria  in 
the  regulation. 

Information  needed  for  research 

The  AHA  generally  supports  the  approach  taken  by  the  proposed  rule  in  address- 
ing the  disclosure  of  information  for  research.  Unfortunately,  the  proposed  rule 
n^s  to  be  clarified  and  further  evaluated  against  other  existing  federal  research 
regulations  to  ensure  that  there  is  a  consistent  set  of  standards  that  can  be  appUed. 
Additionally,  we  are  concerned  that  the  regulation,  in  limiting  the  use  and  disclo- 
sure of  personal  health  information  to  general  knowledge  "related  to  health,"  leaves 
out  some  very  significant  uses  of  health  information.  For  example,  some  health  care 
utilization  data  is  also  usefiil  for  social  research.  Gun  shot  wounds,  spousal  abuse, 
and  other  kinds  of  information  fi*om  emergency  room  statistics  are  often  used  to  per- 
form research  with  ramifications  for  social  policy.  It  should  not  be  necessary  to  limit 
the  purposes  of  research  as  long  as  protections  are  in  place. 

Directory  information 

The  regulation  outlines  the  process  hospitals  must  follow  in  order  to  release  pa- 
tient information  to  their  directories.  It  is  an  example  of  how  anticipating  the  needs 
of  the  few  often  results  in  harm  to  the  needs  of  the  many. 

The  regulation  states  that  most  people  are  willing  for  summary  information  about 
themselves,  listing  their  location  in  the  hospital  and  their  general  condition,  to  be 
available  automaticallv.  It  then  goes  on  to  say  that,  because  a  few  may  not  want 
the  information  available,  hospitals  should  change  long-standing  policy  and  practice 
and  obtain  permission  to  include  this  information  in  the  hospital  directory. 

This  approach  has  been  tried  before,  and  it  failed.  In  1999,  hospitals  in  Maine 
tried  it,  and  had  great  diffioilty  obtaining  permission  fi-om  patients  before  getting 
calls  fi*om  next-of-kin,  clergy,  florists,  friends,  and  others  asking  if  their  loved  one 
was  in  the  hospital  and  where  they  could  be  found.  The  admissions  office  had  to 
ask  permission,  document  the  answer,  and  then  transmit  that  information  to  the 
floor  of  whomever  was  answering  phones.  In  addition,  in  rural  areas  where  patients 
knew  the  hospitals  well,  patients  would  bypass  the  normal  check-in  process  and  go 
directiy  to  their  rooms  without  being  give  the  chance  to  give  permission.  The  law 
was  quickly  repealed  and  replaced  with  one  that  allows  persons  to  request  that  their 
directory  information  be  withheld. 

AHA  recommendations:  Change  the  proposed  rule  to  allow  hospitals  to  disclose 
protected  health  information  for  directory  purposes,  unless  patients  with  the  capac- 
ity to  make  their  own  health  care  decisions  explicitly  request  that  their  information 
not  be  disclosed. 

^hxit  Congress  can  do 

While  we  have  serious  concerns  about  the  proposed  regulation's  scope  beyond 
legal  authority,  we  know  that  Congress  is  unlikely  to  take  action  imtil  the  final  rule 
is  promulgated.  We  believe  that,  if  our  concerns  are  addressed  adequately  in  the 
final  rule,  congressional  action  wiU  be  unnecessary,  although  ultimately  Congress 
must  address  the  significant  costs  associated  with  the  regulation. 

At  same  time,  because  we  are  so  deeply  concerned  about  the  proposed  rule's  scope, 
we  believe  a  statement  of  congressional  intent  would  be  helpful  between  now  and 
issuance  of  the  final  rule.  In  this  statement,  Congress  should  reiterate  the  more  ac- 
curate and  narrow  interpretation  of  the  law  as  we  read  it,  rather  than  the  more  ex- 
pansive interpretation  as  HHS  reads  it.  That  way  the  department  will  have  the 
clear  guidance  of  Congress. 

We  also  remain  concerned  that  some  positive  elements  of  the  rule  could  be  jeop- 
ardized by  opening  it  to  congressional  action.  Therefore,  other  than  the  need  to  ad- 
dress scope,  we  believe  Congress  should  wait  until  the  final  rule  is  promulgated  and 
it  has  a  better  sense  of  what  the  department  is  recommending. 

The  complexity  and  cost  associated  with  the  rule  will  need  to  be  addressed  by 
Congress  in  the  future.  Once  we  have  a  final  rule,  we  hope  Congress  will  recognize 
the  huge  costs  that  it  will  force  hospitals  to  incur,  and  make  accommodations  ac- 
cordingly. 
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CONCLUSION 

Mr.  Chairman,  America's  hospitals  and  health  systems  take  very  seriously  the 
privacy  of  our  patients'  personal  health  information.  In  large  measure,  the  most  ef- 
fective, simplest  and  least  costly  manner  of  addressing  the  privacy  of  our  patients' 
personal  health  information  is  to  ensure  that  appropriate  health  information  con- 
ndentiaUty  pohcies,  safeguards  and  staff  training  programs  are  in  place  and  en- 
forced. By  taking  this  approach,  we  can  ensure  that  patients'  personal  health  infor- 
mation is  protected,  while  at  the  same  time  making  sure  information  critical  to  the 
well-being  of  those  patients  is  available  to  those  who  need  it. 

We  are  committed  to  working  with  HHS  to  ensure  that  its  final  regulation  govern- 
ing the  protection  of  individually  identifiable  patient  health  information  balances 
both  of  these  needs,  without  imposing  overly  cumbersome  new  requirements  on  hos- 
pitals and  health  care  providers. 

The  ctirrent  broad  scope  of  the  proposed  rule  is  its  Achilles  heel.  It  reaches  far 
beyond  the  uses  and  disclosures  of  iirformation  specified  by  Congress.  By  limiting 
the  rule  to  those  transactions  intended  by  Congress,  most  of  the  concerns  I  have 
outUned  today  would  be  substantially  reheved  or  eased. 

By  limiting  its  scope  to  that  intended  by  Congress,  the  HHS  privacy  regulation 
can  be  vastly  improved  for  the  benefit  of  hospitals,  health  systems,  caregivers,  and 
the  people  who  entrust  us  with  very  sensitive  and  intimate  information  about  their 
lives. 

The  Chairman.  Ms.  Farmer. 

Ms.  Farmer.  Thank  you,  and  good  morning,  Mr.  Chairman  and 
Senators. 

I  am  Kathy  Farmer,  manager  of  U.S.  Compensation  and  Benefits 
for  Hewlett  Packard.  HP  is  a  leading  technology  provider  with 
more  than  83,000  employees  globally  in  120  countries.  I  am  also  an 
active  participant  in  the  Washington  Business  Group  on  Health,  on 
whose  behalf  I  am  testifying  today. 

Washington  Business  Group  on  Health  has  a  strong  voice  in  the 
employer  community,  with  over  160  large  employer  members. 

My  key  message  today  on  behalf  of  the  WBGH  is  really  simple. 
We  do  believe  that  national  confidentiality  rules  are  needed  to  en- 
sure that  sensitive  health  data  is  not  misused  and  to  strengthen 
consumer  trust. 

However,  the  WBGH  does  not  consider  the  HHS  proposed  pri- 
vacy rule  either  optimum  or  workable.  There  are  numerous  provi- 
sions outlined  in  the  proposed  regulation  that  would  be  palatable 
to  employers,  such  as  the  statutory  authorization  approach  for 
treatment,  payment,  and  health  care  operations. 

Unfortunately,  though,  the  HHS  proposed  regulation,  when  ana- 
lyzed in  its  entirety,  would  force  employers  acting  as  covered  enti- 
ties to  navigate  through  a  maze  of  unnecessarily  complex  data  use 
restrictions.  While  we  recognize  that  many  of  the  regulation's 
shortfalls  result  from  limitations  in  their  statutory  authority,  we 
also  believe  that  incomplete  knowledge  about  the  complexities  of 
employer-sponsored  health  programs  was  a  factor.  A  more  com- 
prehensive legislative  solution  is  needed. 

There  are  a  number  of  important  reasons  why  the  HHS  proposed 
privacy  rules  fall  short.  The  first  and  most  fundamental  of  these 
reasons  is  the  definition  of  a  covered  entity.  Due  to  the  statutory 
conf  nes  of  HIPAA,  the  proposed  regulations  only  apply  to  an  em- 
ployer when  it  uses  or  transmits  electronic  individually  identifiable 
health  information  in  a  health  plan,  health  care  provider,  or  busi- 
ness partner  capacity. 

We  believe  in  the  WBGH  that  this  is  a  fragmented  regulatory  ap- 
proach, and  it  would  be  very  difficult  to  implement. 
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An  additional  concern  related  to  the  regulation's  fragmentation  is 
the  explicit  exclusion  of  traditional  disability  and  workers  com- 
pensation insurance  from  the  regulation's  scope.  By  permitting  the 
proposed  rule  to  govern  only  electronic  individually  identifiable 
health  information  derived  from  the  group  health  setting,  HHS  is 
assimiing  that  group  health,  disability  and  workers  compensation 
benefits  are  administered  separately  fi-om  one  another  and  that 
they  could  be  subject  to  different  sets  of  data  rules. 

This  is  not  the  case  in  toda/s  business  world  where  advanced 
benefit  integration  is  becoming  increasingly  common.  In  a  global 
economy  with  oftentimes  a  shortage  of  skilled  workers,  with  an  in- 
creased focus  on  productivity,  43  percent  of  employers  are  now  re- 
porting that  they  are  operating  integrated  disability  management 
programs. 

We  recognize  that  there  are  political  impetuses  in  place  to  place 
disability  insurance  and  workers  compensation  benefits  beyond  the 
proposed  rule's  reach.  However,  we  believe  that  carve-outs  of  these 
types  of  data  are  counterproductive  to  the  development  of  inte- 
grated benefits  and  disability  management  programs. 

A  second  area  of  concern  where  the  proposed  privacy  rule  fall 
short  is  preemption.  We  are  very  disconcerted  for  a  number  of  rea- 
sons which  are  explained  in  the  full  testimony.  The  most  fun- 
damental concern  is  that,  as  most  employers  know  well  to  be  true, 
full  preemption  of  State  laws  is  essential  for  employers  who  often 
have  nationwide  webs  of  locations  and  workers.  If  a  Federal  uni- 
form confidentiality  standard  is  not  enacted,  the  functioning  and 
administration  of  employer  health-related  programs  could  be  placed 
in  serious  jeopardy. 

Business  partners  we  believe  has  a  shortfall  in  the  concept.  Al- 
though the  proposed  regulation  outlines  the  requirements  for  busi- 
ness partner  relationships  external  to  the  covered  entity,  quite 
clearly,  it  provides  no  guidance  as  to  whether  business  partner  re- 
lationships can  or  need  to  exist  within  different  division  of  the 
same  employer  and  how  these  relationships  should  be  handled. 
Discussions  between  the  WBGH  and  HHS  failed  to  result  in  any 
definitive  answers  to  these  questions. 

A  fourth  area  where  we  have  concern  is  that  we  believe  the  pro- 
posed privacy  rule  falls  short  around  the  classification  and  use  of 
individually  identifiable  health  data.  It  is  quite  stringent  and 
would  impede  the  ability  to  have  overall  analysis  when  date  of 
birth  and  geo-identifiers  are  restricted — ^for  example,  in  terms  of 
trying  to  identify  trends  and  patterns  within  the  work  force  and  to 
create  proactive  interventions. 

In  conclusion,  I  must  stress  the  HHS'  good  faith  effort  to  formu- 
late balanced,  flexible,  yet  strong  new  privacy  standards.  To  its 
credit,  during  the  rule-drafting,  HHS  maintained  an  open  door 
communication  policy  for  many  groups.  Despite  this,  we  must  em- 
phasize our  continued  unease  with  the  fragmented  infrastructure 
the  proposed  regulations  would  create  and  the  consequences  of  this 
disjointed  infrastructure  for  employer-sponsored  health  initiatives. 
HHS  cannot  address  many  of  the  proposed  regulation's  shortfalls 
due  to  the  limitation  of  its  statutory  authority. 

Washington  Business  Group  on  Health  and  Hewlett  Packard  in- 
stead strongly  support  a  Congressional  confidentiality  solution 
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which  would  govern  all  types  of  health  records  and  regulate  em- 
ployers as  comprehensive  entities.  We  believe  that  only  legislation 
can  fully  address  these  issues  and  others  that  are  laid  out  in  our 
testimony  today. 

Also,  a  legislative  response  may  be  a  more  appropriate  vehicle  for 
formulating  and  revising  confidentiality  rules  in  an  area  that  is 
rapidly  evolving  due  to  increasing  use  and  application  of  e-health 
technologies. 

Although  this  committee  is  currently  debating  many  other 
weighty  health  care  issues,  we  urge  you  to  put  medical  confiden- 
tiality legislation  back  on  your  agenda  for  immediate  action. 

Thank  you. 

The  Chairman.  Thank  you,  Ms.  Farmer. 

[The  prepared  statement  of  Ms.  Farmer  follows:] 

Prepared  Statement  of  Kathy  Farmer 
i.  introduction 

Mr.  Chairman  and  Senators  of  the  Committee:  Good  Morning.  I  am  Kathy  Farm- 
er, Manager  of  U.S.  Compensation  and  Benefits  for  Hewlett  Packard,  a  leading  tech- 
nology provider  with  more  than  83,000  employees  in  120  countries  worldwide.  I  am 
also  an  active  participant  in  the  initiatives  of  the  Washington  Business  Group  on 
Health  (WBGH)  on  whose  behalf  I  will  be  testifying  today.  WBGH  has  historically 
been  a  strong  voice  in  the  emplover  community  and  remains  so  with  a  membership 
of  160  of  the  nation's  largest  and  most  innovative  pubUc  and  private  sector  employ- 
ers. WBGH's  members  provide  health  care  coverage  for  more  than  39  million  U.S. 
workers,  retirees,  and  their  families.  WBGH's  mission  since  1974  has  been  to  rep- 
resent employers  in  promoting  market-based,  performance-driven  health  care  deliv- 
ery systems  that  improve  the  health  and  productivity  of  companies  and  commu- 
nities. 

WBGH  and  its  members  such  as  Hewlett  Packard  have  been  keeping  a  watchful 
eye  on  both  legislative  and  regulatory  developments  in  the  area  of  medical  confiden- 
tiality since  the  Department  of  Health  and  Hiunan  Services  issued  their  first  pri- 
vacy docimient  in  1997.  Employers  know  that  we  have  a  key  stake  in  the  outcome 
of  this  very  contentious  debate.  If  authorization,  record  access,  research,  and  state 
law  preemption  requirements  do  not  recognize  the  complex,  integrated  environment 
that  employers'  health-related  plans  ciirrently  operate  in,  the  effective  fiinctioning 
of  these  programs  could  be  placed  in  serious  jeopardy. 

My  key  message  to  you  today  on  behalf  of  WBGH  and  its  members  is  simple:  we 
do  beheve  that  national  confidentiality  rules  are  needed  to  ensiu-e  that  sensitive 
health  data  is  not  misused  and  to  strengthen  consumer  trust.  However,  WBGH  does 
not  consider  HHS'  proposed  privacy  rule  either  an  optimum  or  workable  confiden- 
tiahty  solution.  There  are  numerous  provisions  outlined  in  the  proposed  regulation 
that  would  be  palatable  to  employers  such  as  the  statutory  autnonzation  approach 
for  "treatment,  payment,  and  health  care  operations."  Administrative  burden  would 
be  limited  under  this  approach  and  the  sensitive  questions  that  arise  when  an  em- 
ployer is  required  to  collect  an  authorization  to  use  individually  identifiable  health 
information  as  a  condition  of  a  workers'  enrollment  for  health  benefits  is  eliminated. 

Unfortunately,  despite  this  advantage,  HHS'  proposed  regulation,  when  analyzed 
in  its  entirety,  would  force  WBGH  employers  acting  as  covered  entities  to  navigate 
through  a  maze  of  unnecessarily  complex  data  use  restrictions  that  fail  to  acknowl- 
edge the  unique  nat\ire  of  routine  and  more  innovative  workplace  health  programs. 
WBGH  recognizes  that  many  of  the  regulation's  shortfalls  result  from  limitations  in 
HHS'  statutory  authority  but  also  believes  that  incomplete  knowledge  about  the 
complexities  of  employer  sponsored  health  programs  was  also  a  factor.  A  more  com- 
prehensive legislative  solution  is  needed. 

II.  problematic  portions  of  the  HHS  PROPOSED  PRIVACY  RULE 

There  are  a  niunber  of  important  reasons  why  HHS'  proposed  privacy  rule  falls 
short.  The  first  and  most  fundamental  of  these  reasons  is  the  proposed  rule's  defini- 
tion of  a  "covered  entity". 

Covered  Entities:  Due  to  the  statutory  confines  of  the  Health  Insurance  Port- 
ability and  Accountability  Act  (HIPAA),  tiie  proposed  regulation  could  only  apply  to 
an  employer  when  it  uses  or  transmits  electronic  individually  identifiable  health  in- 
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formation  in  a  health  plan,  health  care  provider,  or  business  partner  capacity. 
WBGH  believes  that  this  fragmented  regulatory  approach  would  be  very  difficult  to 
implement.  The  proposed  rule's  limited  appHcation  to  only  electronic  records  is  im- 
practical and  provides  little  incentive  for  covered  entities  to  progress  from  paper  to 
electronic  health  record-keeping.  The  electronic/paper  distinction  is  important  be- 
cause it  has  been  frequently  noted  that  paper  records  are  often  more  vulnerable  to 
improper  viewing  than  their  electronic  counterparts.  Why?  Electronic  records  can  be 
protected  by  more  sophisticated  technological  safeguards.  Under  the  proposed  regu- 
lation, individually  identifiable  health  information  on  paper  would  continue  to  be 
vulnerable  to  inappropriate  access,  which  is  an  undesiraDle  outcome  for  both  provid- 
ers and  users  of  health  care  services. 

Compliance  with  the  "covered  entities"  section  of  the  proposed  rule  would  neces- 
sitate black  and  white  determinations  about  which  workplace  personnel  are  acting 
as  covered  entities  within  the  complex  and  ever-changing  environment  of  employer- 
sponsored  health  programs.  It  would  also  require  employers  to  track  and  train  shift- 
ing rosters  of  their  health  plan,  health  provider,  and  business  partner  personnel 
across  large  multi-state  and  sometimes-international  corporate  operations.  This 
would  be  a  significant  burden.  We  are  not  suggesting  that  employers  be  exempt 
from  regulation.  Conversely,  we  support  federal  confidentiality  rules  that  extend  be- 
yond covering  only  certain  records  or  certain  divisions  within  an  employer.  We  de- 
sire confidentiality  rules  that  govern  all  tvpes  of  health  records  and  employers  as 
a  comprehensive  entity.  WBGH  realizes  that  HHS  does  not  have  authority  to  ex- 
pand the  type  of  records  and  covered  entities  to  which  the  proposed  rule  applies. 
However,  the  serious  consequences  that  result  fi-om  the  boundaries  HIPAA  has 
placed  on  HHS'  rule-making  power  must  be  acknowledged. 

An  additional  concern  related  to  the  regulation's  fragmentation,  is  the  exphcit  ex- 
clusion of  traditional  disability  and  workers'  compensation  insiirance  from  the  regu- 
lation's scope.  By  permitting  the  proposed  rule  to  govern  only  electronic  individually 
identifiable  health  information  derived  from  the  group  healtn  setting,  HHS  assumes 
that  group  health,  disability,  and  workers'  compensation  benefits  are  administered 
separately  from  one  another  and  can  be  subject  to  different  sets  of  data  rules.  This 
is  not  the  case  in  today's  business  world.  Even  in  the  simplest  benefit  administra- 
tion scenarios,  group  health  information  mast  cross  the  group  health-disability  in- 
surance divide  because  an  employer  making  disabiUty  benefits  determinations  rou- 
tinely needs  group  health  information. 

Fiirther  comphcations  would  arise  as  a  result  of  workers'  compensation  and  dis- 
ability insurance  functions  being  excluded  from  the  proposed  rule  because  in  the 
large  employer  setting,  advanced  benefit  integration  is  becoming  increasingly  com- 
mon. Forty-three  percent  of  employer  respondents  to  a  recent  WBGH  survey  indi- 
cated they  are  operating  integrated  disability  management  programs  which  coordi- 
nate occupational  disability  programs  (workers'  compensation),  non-occupational  dis- 
ability programs  (sick  pay,  short-term  disabihty,  long-term  disability)  and  other  rel- 
evant group  health  and  employee  assistance  programs.  By  uniting  these  programs, 
employers  seek  to  improve  worker  health,  lower  costs,  simplify  administration,  and 
improve  employee  access  to  benefits.  Information  from  these  programs  is  combined 
to  create  targeted  illness  and  prevention  efforts,  return- to- work  programs,  and  reha- 
bilitation and  medical  case  management  initiatives. 

Employers  recognize  the  political  impetus  to  place  disabiUty  insurance  and  work- 
ers' compensation  benefits  beyond  the  proposed  rule's  reach.  Workers'  compensation 
in  particular  is  an  area  traditionally  handled  by  the  states  and  powerful  interests 
argue  against  upsetting  the  oirrent  federal-state  regulatory  balance  in  this  area.  It 
seems  it  would  be  a  simple  solution  to  exempt  workers'  compensation  from  the  regu- 
lation under  the  proposed  standards,  as  workers'  compensation  has  been  exempted 
from  other  federal  laws  in  the  past.  However,  it  must  be  imderstood  that  the  appli- 
cation of  federal  standards  for  health  programs  while  exempting  workers'  compensa- 
tion and  disabihty  plans  compounds  the  difficulty,  for  both  employers  and  physi- 
cians, of  complying  with  the  complex  and  often  confusing  array  of  state  and  federal 
requirements  which  govern  the  exchange  of  individually  identifiable  information. 

A  carve-out  for  workers'  compensation  data  is  counterproductive  to  the  develop- 
ment of  integrated  benefit  and  disabiUty  programs.  As  constructed,  the  proposed 
rule  would  unduly  compUcate  employer  efforts  to  pool  health,  disability,  and  work- 
ers' compensation  data  to  coordinate  care  and  benefits,  faciUtate  payment,  identify 
at-risk  employees,  recognize  patterns  of  disabiUty  incidence,  or  target  individuals  or 
groups  for  health  interventions.  Why?  Because  each  category  of  electronic  individ- 
uaUy  identifiable  information — group  health,  disability  insurance,  and  workers'  com- 
pensation— would  be  subjected  to  a  different  set  of  use  and  transmission  rules. 

Relationship  to  Other  Laws:  The  second  area  in  which  WBGH  beUeves  HHS'  pro- 
posed privacy  rule  faUs  short  is  preemption.  The  proposed  regulation  stipulates  that 
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it  would  not  preempt  state  confidentiality  laws  that  are  contrary  to  or  more  strin- 
gent than  HHS'  new  standards.  These  preemption  provisions  are  very  disconcerting 
for  a  number  of  reasons.  First,  the  rule  seems  to  suggest,  perhaps  incorrectly,  the 
more  stringent  or  contrary  state  law  standard  would  apply  not  only  to  non-  ERISA  , 
health  plans  but  to  ERISA  health  plans  as  well.  Second,  an  adequate  definition  of 
contrary  and  stringent  is  not  provided.  Third,  covered  entities  and  their  business 
partners  have  no  direct  avenue  through  which  to  obtain  a  ruUng  from  HHS  on 
whether  a  law  is  contrary  or  stricter  than  federal  law  and,  therefore  preempted. 

Fourth,  HHS  has  failed  to  acknowledge  what  WBGH  and  its  members  know  to 
be  true:  that  ftdl  preemption  of  state  laws  is  essential  for  employers  who  often  have 
a  nationwide  web  of  locations  and  workers.  If  a  federal,  uniform  confidentiality 
standard  is  not  enacted,  the  fiinctioning  and  administration  of  employer  health-re- 
lated programs  could  be  placed  in  serious  jeopardy.  Although  currently  there  are 
only  a  handful  of  states  that  have  comprehensive  confidentiaUty  laws  on  the  books, 
more  states  are  moving  in  this  direction.  Employers  therefore  would  be  forced  to 
comply  with  a  burdensome  patchwork  of  state  laws  that  would  likely  grow  each  year 
subsequent  to  the  enactment  of  HHS'  final  confidentiality  rule. 

By  prohibiting  the  preemption  of  more  stringent  state  confidentiahty  laws,  the 
agency  has  falsely  concluded  that  stricter  laws  are  better  laws.  This  is  not  always 
the  case.  For  example,  in  a  1999  report  on  phvsician  report  cards,  the  General  Ac- 
counting Office  (GAO),  the  federal  government  s  own,  unbiased  research  arm,  found 
evidence  that  the  stringent  state  confidentiaUty  laws  of  Minnesota  halted  the  collec-  j 
tion  of  comparative  information  on  health  care  quality.  The  report  stated  "according 
to  a  Buyers  Health  Care  Action  Group  official,  Minnesota's  state  privacy  laws  forced 
the  group  to  abandon  its  attempts  to  collect  HEDIS  data  fi'om  care  systems  and 
have  hampered  attempts  to  obtain  survey  data  regarding  quaUty  of  care  for  people 
with  chronic  conditions."  A  uniform  national  approach  that  fully  preempts  all  state 
confidentiaUty  laws  would  be  most  desirable  and  would  avoid  situations  such  as  the 
one  described  in  GAO's  report, 

HHS  states  in  the  proposed  rule  that  it  is  not  intended  to  repeal  other  federal 
laws  and  should  instead  "supplement  existing  federal  law."  Our  fiflli  preemption 
concern  is  that  this  phrase  was  not  expUcitly  quaUfied  to  include  aU  provisions  of 
relevant  health  and  safety  laws  that  employers  comply  with  such  as  the  Americans 
with  DisabiUties  Act  and  the  Family  and  Medical  Leave  Act,  as  weU  as  Occupational 
Health  and  Safety  Administration,  Department  of  Transportation,  and  Federal  Avia- 
tion Administration  dictates.  These  laws  aUow  employers  to  legitimately  use  em- 
ployee individually  identifiable  health  data  for  a  broad  range  of  essential  purposes 
including  fitness  for  duty  tests,  worker  competency  exams  and  reasonable  accommo- 
dation decisions.  These  actions  must  be  permitted  to  continue  and  therefore  existing 
federal  laws,  like  those  Usted  above,  should  not  be  preempted  by  the  proposed  regu-  \ 
lation. 

Business  Partners:  The  third  area  in  which  WBGH  beUeves  HHS'  proposed  pri- 
vacy rule  faUs  short  is  the  business  partner  concept.  According  to  the  proposed  regu- 
lation, a  "business  partner"  would  be  any  person  or  organization  to  whom  the  em- 
ployer, acting  in  a  health  plan  or  health  care  provider  capacity,  discloses  electronic  / 
individuaUy  identifiable  health  information  so  that  the  business  partner  can  "carry  3 
out,  assist  with  the  performance  of,  or  perform"  a  function  on  behalf  of  an  employer  j 
health  plan,  employer  health  care  provider,  or  other  covered  entity.  Examples  of  ^ 
business  partners  external  to  the  employer  could  include  a  health  plan,  consulting  (i 
company,  third-party  administrator,  or  data  informatics  firm.  i 

An  employer  acting  as  a  health  plan  or  health  care  provider  could  only  disclose 
electronic  individuaUy  identifiable  health  information  to  a  business  partner  if  they  L 
had  "satisfactory  assurance"  that  the  partner  would  appropriately  safeguard  the 
identifiable  data.  Satisfactory  assurance  requirements  could  only  be  fiilfiUed 
through  a  signed  contract  between  an  employer  and  its  business  partner  requiring 
adequate  data  protections,  subcontractor  compUance  to  the  regulation,  and  prompt  i 
access  to  the  information  for  eitner  the  HHS  Secretary  or  individuals  who  are  the  )i 
subject  of  the  information. 

Unfortunately,  the  regulation  provides  no  guidance  as  to  whether  business  part- 
ner relationships  can  or  need  to  exist  within  different  divisions  of  the  same  em- 
ployer and  how  these  relationships  should  be  handled.  Discussions  between  WBGH 
and  HHS  failed  to  result  in  a  definitive  answer  to  this  question.  Because  the  pro- 
posed regulation  does  not  address  the  internal  business  partner  issue  and  the  agen- 
cy failed  to  articulate  a  clarification  after  the  preliminary  rule  was  released,  employ- 
ers are  left  with  ambiguities  and  a  series  of  unanswered  questions  such  as: 

Is  the  non-health  plan  or  provider  component  of  the  employer  a  business  partner 
of  the  health  plan  or  provider  component  of  the  employer?  Would  a  formal  contract  if 
have  to  be  signed  between  these  two  employer  entities? 
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What  if  electronic  individually  identifiable  information  originating  from  a  health 
plan  or  provider  portion  of  the  employer  was  transferred  to  a  non-health  plan  or 
provider  group  within  a  company  that  was  doing  nothing  on  behalf  of  the  employer 
health  plan  or  provider?  Would  the  non-health  plan  or  provider  constituency  still 
be  a  business  partner  of  the  employer  acting  as  a  health  plan  or  health  care  pro- 
vider? Or  would  it  instead  be  a  non-covered  entity  outside  the  scope  of  HHS'  regula- 
tions? 

Since  the  regulation  only  addresses  direct  business  partner  relationships  between 
two  covered  entities,  the  ambiguities  surrounding  employer  requirements  for  partici- 
pation in  a  third-party  business  partner  relationship  are  also  a  concern. 

Clearly,  HHS'  lack  of  guidance  on  these  issues  leads  to  operational  quandaries 
and  frustrating  uncertainties  for  employers  who  would  encounter  the  internal  busi- 
ness partner  question  on  a  day-to-day  basis  when  operating  workplace  programs. 
The  seamless  flow  of  electronic  individually  identifiable  health  data  within  the  em- 
ployer environment  would  be  seriously  compromised  if  the  proposed  rule  required 


record-keeping  and  administration  would  also  be  a  notable  burden 

The  proposed  rule's  business  partner  Uabihty  provisions  are  also  a  concern  for 
WBGH  and  its  employer  members.  Under  the  regulation,  an  employer  acting  as  a 
health  plan  or  health  care  provider  woiild  only  be  responsible  for  the  illegal  actions 
of  its  business  partner  to  the  extent  that  they  "knew  or  reasonably  should  have 
known  of  a  material  breach  of  contract  by  a  business  partner  and  failed  to  take  rea- 
sonable steps  to.. .end  the  breach  and  mitigate  its  effects."  WBGH  believes  that  this 
level  of  legal  accountabihty  and  the  civil  and  monetary  penalties  that  are  attached 
to  it  are  tor  the  most  part  appropriate.  However,  we  beUeve  that  the  "reasonably 
should  have  known"  was  defined  too  broadly  and  perhaps  should  be  eliminated.  Cov- 
ered entities  should  only  be  responsible  for  business  partner  breaches  of  which  they 
are  actually  cognizant.  A  clear  and  precise  roadmap  of  what  the  duty  to  mitigate 
entails  is  essential.  Such  a  roadmap  should  include  "mitigating"  examples  or  more 
preferably  a  precise  list  of  mitigation  compliance  activities. 

WBGH  has  one  remaining  concern  under  this  section:  the  provision  in  the  pro- 
posed rules  that  would  require  a  covered  entity  to  include  a  third  party  right-to- 
sue  in  its  contracts  with  business  partners.  It  is  not  clear  whether  HHS  intended 
I    through  this  provision  to  have  a  covered  entity  share  legal  responsibility  when  an 
individual  private  right  of  action  is  brought  against  a  covered  entity's  business  part- 
ner for  violating  the  proposed  regulation.  If  this  was  HHS'  intent  and  the  third- 
party  beneficiary  right  remains  in  the  final  regulation,  then  employers  acting  as 
health  plans  and  providers  and  other  covered  entities  will  face  the  highly  undesir- 
able conseauence  of  being  drawn  into  expensive  and  time-consimiing  lawsxiits  be- 
cause of  a  business  partners'  negUgence,  over  which  a  covered  entity  has  only  lim- 
ited control.  Notable  also  is  the  significant  expense  of  complying  with  the  third- 
party  right-to-sue  provision,  which  would  likely  result  in  higher  health  care  costs 
for  workers  and  beneficiaries. 
Minimum  Necessary  and  De-identified  Information:  The  fourth  area  in  which 
j  WBGH  believes  HHS'  proposed  privacy  rule  falls  short  are  the  rules  for  the  classi- 
!  fication  and  use  of  individually  identifiable  health  data.  Under  the  proposed  rule, 
I  all  disclosures  of  electronic  individually  identifiable  health  data  must  be  limited  to 
I  only  the  "minimum  necessary"  to  accompHsh  the  piupose  for  which  the  information 
was  revealed.  The  employer  would,  however,  get  to  determine  for  itself  the  mini- 
mum necessary  threshold  if  it  were  using  information  as  a  health  plan  or  health 
provider.  Despite  this  flexibihty,  WBGH  beheves  that  the  "minimum  necessary^  re- 
quirement is  quite  stringent  and  would  likely  impede  operation  of  both  routine  and 
'  more  innovative  workplace  health  related  programs. 

The  proposed  regulation's  listing  of  what  makes  information  governed  by  the  pro- 
I  posed  rule  identifiable  is  too  exhaustive  and  prescriptive  from  the  employer  perspec- 
*  tive.  Removing  such  things  as  birth  dates  and  geoidentifiers  (city,  county,  state,  zip 
i  I  code  or  equivalent  geocodes)  would  interfere  with  even  routine  health  plan  adminis- 
I  tration  and  analysis.  Employer-sponsored  health  plans  need  to  utiUze  the  geo- 
graphic data  of  their  beneficiaries  to  among  other  things  determine  which  health 
benefits  may  be  needed  most  in  a  certain  area.  Birth  dates  are  also  an  essential 
identifier,  which  are  often  required  to  monitor  the  effectiveness  of  a  health  plan's 
wellness  initiatives  like  childhood  immunization  initiatives.  To  conduct  these  tj^es 
of  targeted  investigations  one  would  need  identify  all  children  of  a  certain  age,  per- 
haps under  two  years  old.  This  would  not  be  possible  if  all  the  beneficiary's  birth 
'.  dates  had  been  forcibly  stripped  out. 

For  these  reasons,  WBGH  urged  HHS  to  re-evaluate  the  list  of  identifiers  that  the 
proposed  rule  mandates  must  be  removed  for  heath  information  to  be  considered 
identifiable,  in  Hght  of  the  legitimate  data  needs  of  an  employer  acting  as  a  covered 
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entity.  WBGH  hopes  that  such  a  re-evaluation  will  take  place,  but  realizes  there  are 
no  guarantees. 

Research:  The  fifth  key  concern  WBGH  has  with  the  proposed  privacy  rule  is  the 
manner  in  which  research  is  defined.  The  regulation  defines  research  as  a  "system- 
atic investigation  including  research  development,  testing,  and  evaluation  designed 
to  develop  or  contribute  to  generalizable  knowledge."  Numerous  cutting-edge  work- 
place initiatives  group  and  correlate  different  types  of  individually  identifiable 
health  information.  These  projects  are  done  to  quantify  and  understand  the  relation-  ^ 
ships  between  employee  health  and  a  variety  of  factors  such  as  absenteeism,  disabil-  li 
ity,  and  productivity.  WBGH  has  been  a  leader  in  identifying  metrics  to  better  un-  \ 
derstand  and  illustrate  the  relationship  between  worker  health  and  productivity. 
WBGH  members  have  been  some  of  the  first  in  the  nation  to  conduct  health  and 
productivity  management  (HPM)  projects  within  their  own  companies.  These  em-  < 
ployers  have  gained  valuable  and  applicable  insights  into  the  link  between  wellness  ■ 
and  productivity  by  analyzing  a  myriad  of  data  about  health  benefits,  employee  at-  j 
tendance,  and  corporate  workplace  practices.  They  have  found  that:  1)  absenteeism  l 
and  productivity  losses  are  often  consequences  of  unrecognized  and  poorly  managed  ; 
health  conditions;  2)  health  plan  cost-controls  may  work  against  employer  efforts  to  i 
manage  time-loss  and  other  disabihty  costs;  and  3)  work  climate  impacts  an  employ-  , 
ee's  health  outcomes  and  health  interventions  can  be  used  to  influence  work  climate. 
None  of  these  activities  would  be  possible  if  an  employer's  abiUty  to  legitimately  I 
analyze  identifiable  information  was  unduly  restricted.  I 

Because  the  proposed  regulations'  research  definition  is  so  broad  and  amorphous,  i 
a  significant  number  of  these  employer-sponsored  initiatives  could  be  subject  to  the 
new  research  requirements.  If  this  were  the  case,  employers  acting  in  a  health  plan 
or  health  provider  capacity  would  be  required  to  subject  their  research  projects  to 
a  mandatory  review  of  research  protocols  by  an  institutional  review  board  (IRB)  or 
equivalent  privacv  board.  They  could  alternatively  collect  signed  authorizations  from 
all  individuals  whose  electronic  individually  identifiable  data  is  being  used  in  the 
research  project. 

Although  employers  who  conduct  HPM  investigations  generally  subject  their 
project  designs  to  a  scientifically  rigorous  review,  the  proposed  regulation's  IRB  or 
privacy  board  review  process  would  be  an  additional  and  notable  divide  to  cross. 
WBGH  understands  the  need  to  obtain  authorization  when  using  electronic  individ- 
ually identifiable  health  information  for  HPM  projects,  because  they  do  not  fit  well 
into  the  more  traditional  "treatment,  payment,  and  health  care  operations"  struc- 
ture. However,  we  strongly  believe  that  such  projects  should  not  come  under  the 
proposed  rule's  research  framework.  The  improvements  these  projects  have  achieved 
in  worker  health  and  workplace  productivity  should  not  be  compromised.  The  pro- 
posed rule's  research  requirement  represents  a  significant  and  problematic  level  of  ^ 
regulation. 

Administrative  Safeguards:  Oiu-  last  substantive  concern  with  HHS'  proposed  pri- 
vacy rule  is  in  the  area  if  administrative  safeguards.  While  WBGH  does  not  object 
to  new  health  information  safeguards,  we  must  emphasize  that  the  new  notice,  over- 
sight, reporting,  disclosure,  tracking,  legal,  and  staff"  training  required  by  the  pro- 

Sosed  rule  will  result  in  significant  administrative  burdens  and  compliance  costs. 
[HS  itself  estimates  that  overall  first  year  rule  implementation  price  tag  would  be 
$1,165  biUion.  The  cost  of  the  HHS  regulation  to  employers  would  most  likely  be 
higher  than  complying  with  a  piece  of  confidentiality  legislation  passed  by  the  U.S. 
Congress.  Why?  Legislation  probably  would  not  necessitate  the  complex  contractual  i 
arrangements,  degree  of  state  confidentiality  law  tracking  and  adherence,  and  dif- 
ficult covered  entity  determinations  that  the  proposed  rule  reqxiires. 

III.  CONCLUSION  :  A  LEGISLATIVE  CONFIDENTIALITY  SOLUTION  IS  NEEDED 

It  is  my  hope  that  the  thoughts  I  have  expressed  to  the  Committee  today  do  not 
tarnish  HHS'  good-faith  effort  to  formulate  flexible,  yet  strong  new  privacy  stand-  | 
ards.  The  Department  has  attempted  to  properly  balance  the  interests  of  all  con- 
stituencies involved  in  the  confidentiality  debate,  which  is  no  small  feat.  To  its  cred- 
it, HHS  has  maintained  an  open-door  poUcy  that  has  permitted  many  groups,  in- 
cluding WBGH,  to  express  their  views  directly  to  Department  personnel  drafting  the 
proposed  privacy  rule.  Despite  this,  we  must  emphasize  our  continued  unease  with  : 
the  fragmented  infrastructure  the  proposed  regulation  would  create  and  the  con-  1 
sequences  of  this  disjointed  infrastructure  for  employer-sponsored  health  initiatives. 
Particularly  disconcerting  are  the  proposed  exclusion  of  non-electronic  individually  i 
identifiable  information,  ambiguously  and  xmnecessarily  complex  business  partner  \ 
relationships,  allowance  of  only  partial  preemption  of  state  confidentiality  laws,  and  i 
the  exclusion  of  all  individually  identifiable  health  information  related  to  disabihty  J 
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management  from  the  regulation's  scope.  Many  of  these  shortfalls  can  not  be  ad- 
dress^ by  HHS  should  a  final  privacy  rule  be  issued.  As  you  know  well,  the  Health 
Insurance  Portability  and  Accountability  Act  gave  the  Department  only  limited  stat- 
utory authority. 

WBGH  and  Hewlett  Packard,  therefore,  instead  strongly  support  a  Congressional 
confidentiality  solution  which  would  govern  all  types  of  health  records  and  regulate 
employers  as  comprehensive  entities.  We  beUeve  that  only  legislation  can  fully  ad- 
dress these  issues  and  others  laid  out  in  our  testimony  today.  Also,  a  legislative  re- 
sponse may  be  a  more  appropriate  vehicle  for  formulating  and  revising  confidential- 
ity rules  in  an  area  that  is  rapidly  evolving  due  to  the  increasing  use  and  appUca- 
tion  of  e-health  technologies. 

Although  this  committee  is  currently  debating  many  other  weighty  health  care 
issues,  we  urge  committee  members  to  put  medical  confidentiaUty  legislation  back 
on  your  agenda  for  action.  Given  the  very  real  possibility  that  HHS  may  issue  their 
final  privacy  regulations  in  late  2000  or  early  2001,  it  is  imperative  that  the  com- 
mittee take  action  now.  Both  WBGH  and  Hewlett  Packard  stand  ready  to  aid  legis- 
lators in  crafting  a  confidentiality  bill  that  not  only  protects  privacy,  but  also  ac- 
knowledges how  employers  and  others  use  critical  health  information  to  heal  indi- 
viduals and  maintain  maximum  fiinctionaUty. 

The  Chairman.  Dr.  Koski. 

Dr.  Koski.  Mr.  Chairman,  Senator  Kennedy,  and  distinguished 
members  of  the  committee,  thank  you  for  the  opportunity  to  testify 
before  you  today. 

I  know  that  you  have  all  heard  this  before,  but  I  am  going  to  say 
it  once  again:  The  American  people  are  seriously  concerned  about 
their  privacy.  They  are  concerned  because  information  is  being  col- 
lected about  them  often  without  their  knowledge;  it  is  being  used 
often  by  complete  strangers  in  ways  that  were  never  intended  and 
often  without  their  authorization.  This  is  completely  true  in  the 
area  of  health  information. 

As  Senator  Kennedy  has  noted  in  his  opening  remarks,  every  en- 
counter with  our  health  care  system  requires  that  individuals 
share  sensitive,  sometimes  intimate,  personal  information.  They  do 
so  with  the  reasonable  expectation  that  this  information  is  going  to 
be  used  to  care  for  them.  Few  appreciate  the  multitude  of  uses  and 
users  that  are  necessary  in  order  to  conduct  the  business  of  health 
care  in  today's  complex  system.  The  resulting  loss  of  privacy,  loss 
of  control,  loss  of  autonomy,  not  to  mention  the  highly-publicized 
abuses  that  have  occurred,  is  just  basis  for  this  concern. 

The  concerns  have  already  had  serious  consequences,  again  noted 
by  Senator  Kennedy.  Some  patients  already  refuse  to  confide  full 
information  to  their  caregivers,  and  many  fail  to  seek  care  at  all. 

Another  consequence  is  the  growing  resistance  among  the  Amer- 
ican population  to  use  personal  health  information  in  biomedical 
research.  The  American  people  for  generations  have  highly  valued 
research  and  have  been  willing  participants  provided  that  their  in- 
terests and  well-being  are  protected.  They  have  agreed  to  relin- 
quish absolute  privacy  of  their  health  information  for  the  common 
good  provided  they  are  afforded  respect  and  confidentiality. 

The  key  principle  here  is  balance.  The  Secretary's  proposed  regu- 
lations recognize  the  importance  of  health  research  and  will  allow 
researchers  to  use  without  individual  authorization  private  health 
information,  but  only  with  the  approval  of  an  institutional  review 
board,  to  protect  the  privacy  of  the  research  subjects. 

Critics  who  oppose  the  provisions  of  this  legislation  will  claim 
that  they  impose  severe  new  restrictions  that  will  overwhelm  the 
IRBs  and  make  such  research  impossible.  They  will  further  claim 
that  IRBs  lack  the  expertise  to  conduct  such  review. 
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Put  bluntly,  these  claims  are  simply  unjustified.  As  you  know,  I 
am  responsible  for  the  oversight  of  all  human  research  at  one  of 
the  Nation's  largest  and  most  highly-respected  academic  health 
care  systems.  I  have  been  an  IRB  chairperson  for  many  years  and 
also  serve  on  those  institutions*  confidentiality  steering  committees. 
Based  on  my  first-hand  experience,  I  would  like  to  set  this  record 
straight. 

In  1977,  the  U.S.  Privacy  Protection  Study  Commission  con- 
cluded that  research  use  of  private  health  information  was  accept- 
able provided  the  use  does  not  violate  any  of  the  limitations  under 
which  the  information  was  collected,  that  the  research  is  of  suffi- 
cient value  to  justify  the  invasion  of  privacy  and  that  it  could  not 
otherwise  be  done,  and  that  there  are  adequate  safeguards  for  | 
maintaining  confidentiality,  and  that  there  be  no  unauthorized  sec- 
ondai-y  uses  of  the  information  or  re-disclosures  to  third  parties. 

These  recommendations  were  accepted  by  the  national  commis-  | 
sion  and  were  incorporated  into  the  Federal  regulations  for  protec- 
tion of  human  research  subjects,  45  CFR  46,  otherwise  known  as 
the  Common  Rule. 

For  more  than  20  years,  IRBs  have  been  required  by  law  to  re-  \ 
view  research  involving  personal  health  information.  They  are  spe- 
cifically required  to  consider  the  risks  to  privacy  and  confidentiality 
in  their  deliberations,  and  this  includes  not  just  physical  risks  but 
risks  of  psychological,  social  and  economic  nature  which  are  attend- 
ant to  the  research. 

Current  OPRR  guidance  to  IRBs  and  investigators  includes  11 
pages  specifically  devoted  to  privacy  and  confidentiality  issues.  I 
have  brought  along  a  copy  of  these  regulations,  and  I  would  re- 
spectfully request  that  they  be  included  in  the  record  of  these  pro- 
ceedings along  with  my  remarks.  I 

The  Chairman.  They  will  be. 
i   [The  information  referred  to  follows:] 
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Some  IRBs  htve  gnidelines  tiut  pFolnbit  professors  from  solicitmg  their  students  as  subjects  and  supeivisorB  from  inchiding 
their  employees  in  research.  A  scientist's  proposai  to  involve  studaits,  technicians,  and  junior  memoers  of  the  laboratory  in 
bis  or  research  should  be  examined  with  care.  The  Une  between  protecting  the  vulncnble  and  being  unduly  paternalistic  is 
difficult  to  draw.  This  is  one  of  the  IRB's  recurrent  challenges.  But  avoidmg  the  use  of  a  group  of  subjects  rqjeatedly  on  the 
grounds  of  mere  convenience  must  not  prevent  fixe  and  competent  adults  from  vohinteering  to  be  subjects  of  research  as 
oftm  as  ttity  wish. 

Those  who  accept  the  risks  or  btirdens  of  being  research  subjects  should  be  die  ones  who  share  in  its  benefits  whenever 
possible.  One  group  of  subjects  should  not  be  asked  always  to  bear  die  risks  of  research  for  ttie  benefit  of  others.  Those  who 
have  participated  as  research  subjects  should  have  the  first  opportunity  to  receive  a  thfrapy  that  the  research  has 
demonstrated  to  be  safe  and  effective  (eg.,  subjects  of  clinical  trials  who  were  either  in  a  control  group  or  recipients  of  a 
ther^y  that  proved  not  to  be  superior  should  bo  offered  the  treatment  Aat  the  trial  demonstrated  to  be  preferable).  The  study 
design  should  provide  for  the  adequate  representation  of  women  and  minorities  in  the  study  population  so  that  the  findings 
will  be  meaningful  for  diose  groups  and  they  can,  dierefore,  share  in  the  benefits  of  the  research.  Adequate  representation  of 
women  and  isinoritieB  is  paiticulariy  important  in  studies  of  diseases,  disorden,  and  conditions  that  dispropoitioDately  affect 
them.  Note  that  risk/benefit  assessments  are  relevant  to  subject  selection  [see,  e.g.,  Guidebook  Chapter  5,  Section  B, 
'*Women^. 

POINTS  TO  CONSIDER 

1.  Will  the  burdens  of  participating  in  die  research  fall  on  diose  most  likely  to  benefit  aom  die  research? 

2.  Will  the  solicitation  of  subjects  avoid  placing  a  disproportionate  share  of  the  burdens  of  research  on  any  single  group? 

3.  Docs  die  nature  of  the  research  require  or  justify  ^jsing  the  proposed  subject  population? 

4.  Are  diere  any  groups  of  people  who  might  be  more  susceptible  to  die  risks  presented  by  die  study  and  who  therefore  ought 
to  be  exchided  from  the  research?  Are  die  procedures  for  identifying  such  individuals  adequate? 

5.  To  die  extent  diat  benefits  to  the  subjects  are  anticipated,  are  diey  distributed  fairly?  Do  other  groups  of  potential  subjects 
have  a  greater  need  to  receive  any  of  die  antic^ated  benefits? 

6.  To  the  extent  that  participation  in  the  studv  is  burdensome,  are  these  burdens  distributed  fairly?  Is  the  proposed  subject 
population  already  so  burdened  that  it  would  be  unfair  to  ask  them  to  accept  an  extra  burden? 

7.  Will  any  special  physiological,  psychological,  or  social  characteristics  of  the  subject  group  pose  special  risks  for  them? 

8.  Would  it  be  possible  to  conduct  die  snufy  with  other,  less  vubieiable  subjects?  What  additional  expense  or  inconvenience 
would  fliat  entail?  Doea  die  convenience  or  the  researcher  or  possible  improvement  in  the  quality  of  die  research  justify  die 
involvemeot  of  subjects  who  may  eidier  be  susceptible  to  pressure  or  who  are  already  burdened? 

9.  Has  die  selection  process  ove/prorecfeJ potential  subjects  who  are  considered  vulnerable  (e.g.,  children,  cognitively 
impaired,  economically  or  educationally  disadvantaged  persons,  patients  of  researchers,  seriously  ill  persons)  so  diat  diey  are 
doaied  opportunities  to  participate  in  research? 

10.  If  die  subjects  are  susceptible  to  pressures,  are  diere  mechanisms  that  might  be  used  to  reduce  die  pressures  or  minimize 
fbeir  m^nct? 

ATFUCABLE  LAWS  AND  REGULATIONS 

Federal  Policy  §  .11  l(aX3)  [Criteria  for  IRB  ^roval  of  research] 

21  CFR  56.1 1  l(aX3)  [FDA:  Criteria  for  IRB  ^roval  of  research] 

NIH  policy  '•^Tv^rninfl  inclusion  of  women  and  minorities  in  study  populadons.  NIH  Guide  for  Grants  and  Contracxs  20 
(No.  32,  August  23,  l$9l):  1-3.  The  policy  also  appears  in  die  application  packet  for  PHS  Grants,  form  PHS  398,  pp.  21-22, 
and  in  NIH  Requests  for  Proposals  (RFPs). 

Return  to  Top  of  Page 

D.  PRIVACY  AND  CONFTOENTIALITY 
INTRODUCTION 

The  possibility  that  research  may  invade  the  privacy  of  mdividualt  or  result  in  a  breach  of  confidentiality  sometimes  arises  in 
biomedical  and  behavioral  research.  Under  certain  circumstances,  an  invasion  of  privacy  or  breach  of  confidentiality  may 
even  present  a  risk  of  serious  harm  to  subjects  {e.g.,  as  ^en  the  researcher  obtains  information  about  subjects  ^t  would,  if 
disclosed  by  the  researcher,  jeopardize  their  jobs  or  lead  to  dieir  prosecution  for  cnminal  behavior).  Under  less  dramatic 
circomstancea,  an  invasion  of  jnlvacy  or  breach  of  confidentiality  can  be  a  moral  wrong,  or,  at  least  in  theory,  provide  cause 


52 


fox  legal  action  agahiBt  &  niewcher  or  institutioiL 

?rivacv  can  be  defined  in  tenns  of  having  coottol  ov«r  die  extent,  timing,  and  circumstances  of  sharing  oneself  (phyucaDy, 
behaviorally,  or  intellecmalfy)  with  others.  Confidentiality  pertains  to  the  treatment  of  infoimatian  that  an  individual  haa 
discbsed  in  a  lelatjonahD  of  trust  and  with  the  6]q>ectation  that  it  will  not  be  divulged  to  otiiers  in  ways  diat  ate  inconsistent 
widi  the  understanding  of  die  original  disclosure  widiont  permission. 

Piivaey  and  Reteareh.  In  die  context  of  research,  concerns  about  privacy  pertain  primarily  to  the  mcdiods  used  to  obtain 
information  about  subjects.  Objections  to  die  nuture  of  information  being  sought  in  research  are  sometimes  condwd  in  the 
language  of  privacy  (i.  e. ,  that  it  would  be  an  invasion  of  a  subject's  pnvacy  even  to  inquire  about  certain  matters  of  a 
personal  nature).  IRBs  are  often  reluctant  to  accept  these  arguments,  which  tend  to  preclude  research  on  such  topics.  In  any 
event,  &e  issue  of  whether  there  may  be  harm  in  asiang  certain  questions  is  less  a  matter  of  privacy  than  one  of  risks  versus 
benefits,  and  is,  therefore,  not  discussed  in  diis  Section. 

Researchers  ordinarily  use  information  diat  subjects  have  disclosed  or  provided  voluntarily  for  research  purposes  (i.e.,  widi 
their  informed  consent).  Under  diese  circumstances,  there  is  little  reason  for  concern  about  pnvacy.  other  dian  to  assure  that 
appropriate  confidentiality  of  research  data  is  maintained.  Where  privacy  issues  do  arise  is  in  regod  to  information  obtaimul 
for  research  purposes  without  die  consent  of  subjects.  Al&ough  serious  privacy  questions  arise  with  relatively  few  protocols 
reviewed  by  iRBs,  die  questions  diat  do  arise  can  involve  dif5cult  and  subjective  judgments  abom  matters  of  propriety. 

Concerns  about  the  privacy  interests  of  research  subjects  may  arise  in  several  different  contexts. 

Privacy  Issues  in  the  Use  of  Personally  IdentifiBble  Records.  Identi^iag  suitable  subjects  often  presents  no  ediical  fnoblems. 
Pl^cians  studying  a  particular  disease  may  be  able  to  identify  subjects  firom  among  dieir  own  patients,  and  the  sociologift 
interested  in  studying  people  who  have  rec«idy  been  nutried  can  identify  dieir  subjects  do-ough  public  records.  Privacy 
concerns  may  arise  when  poteitfial  subjects  cannot  be  identified  fi^om  public  records  or  from  sources  to  ndiicb  die 
researcher's  woric  provides  access. 

To  identify  suitable  subjects,  researchers  most  sometimes  Kptpmaxih  instimtions  (ej.,  bo^itals  or  schools)  seddng 
n^ormatian  generally  regarded  as  confidential  (eg.,  the  identity  of  patients  treated  for  a  particular  condition  or  students 
meeting  a  particular  criterion).  In  some  circumstances,  the  researcher  needs  infomation  diat  would  make  h  possible  to 
contact  suitable  subjects  to  obtain  f^irdier  data.  In  other  circumstances,  no  contact  widi  subjects  is  conteo^lated  because  die 
information  to  be  obtained  from  die  records  is  sufficient  (or  will  be  combined  with  data  fix>m  odier  sources).  In  these  cases, 
personal  identifiers  may  not  need  to  be  recorded  by  die  researchers,  or,  if  recorded,  can  be  destroyed  at  some  stage  of  the 
lesearcL  All  of  these  factors  arc  relevant  to  IRB  assessments  of  privacy  and  confidentiality  issues  in  research. 

When  patients  give  information  about  diemselves  to  a  doctor  or  hospital  for  die  ouipose  of  facilitating  diagnosis  or  treatment 
of  disease,  they  do  so  in  a  relationship  of  trust.  They  generally  expect  diat  die  iaionnation  will  be  shared  only  as  necessary 
for  their  hiealdi  care  or  reimbunemeat  by  dieii  insurance  company  or  other  third  party  payer;  patients  would  not  expeot 
information  that  identifies  ftem  to  Iw  passed  on  in  casual  conversations  at  cocktail  parties  or  made  available  to  journalists  or 
to  university  students  writing  ptqiers.  Nor  do  diey  necessarily  intend  diat  the  infoimation  will  be  shared  widi  even  dien: 
closest  fimiily  xnembers.  Health  care  providers  should  respect  die  patient's  trust  They  should  not  betray  the  confidence 

?'aced  in  diem.  (The  same  may  be  said  of  educators  wid:  regard  to  students,  and  of  employers  widi  regard  to  ecqiloyeeB.) 
et  sueh  coriidences  are  not  absohite;  patient  records  are  commonly  used  for  a  variety  of  purposes  omw  than  die  care  of  a 
particular  patient  C  for  the  oianagement  of  die  organization  through  quality  assurance  programs  and  for  utilization  review. 
To  say  that  an  organization  has  an  obligation  to  keep  certain  patient  irifomution  confiaeotial  does  not  resolve  the  question  of 
what  OSes  are  appropriate  for  those  records. 

Cleaily,  some  important  research  cannot  be  conducted  unless  en  investigator  gains  access  to  many  records  (sometimes 
flwuiaaA).  In  epidemiological  Btudie8»  scientists  may  seek  to  determine,  for  example,  whedier  certain  industrial  or 
CBvinnunental  contaminants  are  associated  widi  an  increase  in  birtii  defects  or  de^fas  from  cancer.  In  dieir  search  they  might 
wish  to  review  diousands  of  hospital  or  onployment  records  to  identify  infimtt  bom  widi  a  defect,  patients  Buffering  uom  a 
particular  form  of  cancer,  or  wodcen  exposed  to  a  particular  substance.  Without  access  to  such  records,  an  investigator 
cannot  identify  potential  subjects  or  match  die  relevant  records.  [See  Guidebook  Chapter  4.  Section  B,  "Epidemiologic 
Studio."] 

It  is  not  possible  to  specify  precisely  when  an  hutitution  should  honor  a  researcher's  remiest  to  examine  recorda  or  vbea  an 
IRB  should  approve  diis  potential  invasion  of  privacy.  In  1977,  tite  Privacy  Protection  Study  Commission  concluded  diat 
medical  records  can  lemtnoately  be  used  for  biomedical  or  epidemiological  research  without  the  individual's  ej^Iidt 
audioiization,  ivovided  that  the  medical  care  provider  maintaiaiag  die  record: 

(i)  determines  that  such  use  or  disclosure  does  not  violate  any  limitations  under  which  die  record  m  infonnation  waa 
collected; 

(ii)  ascertains  that  use  or  disclosnre  In  individually  identifiable  foim  b  necessary  to  acconqilish  the  research  or  statistical 
pnzpose  for  which  use  or  diacloauie  is  to  be  made; 

(iii)  determines  that  the  importance  of  the  research  or  statistical  purpose  for  which  any  use  or  disclosure  is  to  be  made  is  such 
as  to  warrant  the  risk  to  the  individual  from  additioDal  e^qwiure  of  the  record  or  infonnation  contained  dierein; 
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(iv)  tequirea  thst  adequate  lafe^uards  to  protect  die  rec<n^  or  infonnation  from  u&aulhonzcd  disclostue  be  established  and 
mahiUTned  by  the  user  or  recipient,  indudiDg  a  program  for  removal  or  destroctioa  of  identifiers;  and 

(v)  obtains  consent  in  writiiig  beftse  any  fnrtiier  use  or  redisclosure  of  the  record  or  tnfonnation  in  individually  identifiable 
fonn  is  permitted. 

The  National  Commission  endorsed  diis  recommendation,  end  concluded  that  in  studies  of  documents,  records,  or 
paAoIogical  specimens  where  the  subject*  are  identified,  informed  consent  may  be  waived  if  die  IRB  determines  diat  die 
subject's  interests  are  adeouately  protected  and  the  importance  of  ihe  research  justifies  die  invasion  of  privacy.  Unless 
otherwise  required  by  the  head  of  the  department  or  agency  funding  or  conducting  die  research,  federal  regukiions  (except 
flioee  promulgated  by  the  FDA)  exempt  from  review  iH  research  involving  die  collection  or  study  of  existiiu  data, 
doaanents,  records,  padiological  specimens,  or  diagnostic  spacimens  from  IRB  review  if  the  sources  are  publicly  available 
or  if  the  information  is  recorded  by  the  investigator  in  a  mnnnw  that  docs  not  allow  subjects  to  be  identified,  either  directly  or 
du-ough  identifiers  diat  are  linked  to  them  [Federal  'Policy  §     .101  (bK4)].  [See  also  Guidebook  Chapter  1 .  Section  A, 
'Jurisdiction  of  the  Institutional  Review  Board,"  and  ChapterT,  Section  A,  "Considerations  of  Research  Design  C 
lotroductioiL'^ 

In  cases  where  researchers  gain  access  to  identified  records  widiout  the  individual's  explicit  petmission,  mediods  for 
leducing  &e  aasociated  privacy  problems  should  be  considered.  For  instance,  an  institution  possessing  records  on  suitable 
subjects  may  be  willing  to  contact  them  and  ask  dieii  petmission  to  release  their  names  to  the  researcher-  Depending  on  &e 
purpose  of  die  research,  die  possible  biases  that  this  approach  would  create  may  be  unacceptable,  but  in  other  studies  it  may 
pteve  feasible.  Anodier  approach  ia  for  institutions  to  make  known  the  uses  to  which  its  records  may  be  put  in  advance,  so 
flttt  mdividtiali  will  be  aware  that  diek  records  may  be  used  in  research.  Some  institutioos  provide  an  opportunity  for  people 
to  consent  (or  withhold  consent)  to  use  at  the  time  of  die  initial  creation  of  ifac  record.  Other  institutions  have  been  reluctant 
to  do  this  because  of  eidier  logistical  difficulties  or  systematic  biases  diat  might  be  built  into  subsequent  research.  Still 
■DOfher  approach,  vdnch  may  be  feasible  on  occasion,  is  for  the  researcher  to  became  an  employee  of;  or  consultant  to,  the 
autitatios  and  diereby  gain  proper  access  to  the  records.  Various  other  creative  solutions  may  be  negotiated  amon^ 
itaearchm,  institutions,  ancf  IRBs.  No  fiim  rule  can  be  stated;  diis  is  one  of  many  areas  in  which  IRBs  must  exercise 
conmon  senae  and  sound  judgment. 

Obactratlonal  Studiet.  Of  all  the  mediods  used  to  locate  suitable  subjects  and  obtam  data,  covert  observation  and 
partieipant  obaervation  are  especially  likely  to  raise  concerns  about  privacy.  Covert  observation  includes  the  use  of  concealed 
devices  to  record  information  for  later  analysis  (e  g ,  tape  recording  conversations  or  videotaping  personal  interactions)  and 
cooceahnent  of  the  reaearcher  {e.g.,  behind  a  one-way  mirror)  as  the  behavior  of  subjects  is  observed  and  recorded.  In 
particqMnt  observation,  the  researcher  assumes  a  role  in  the  setting  or  group  being  studied.  When  die  purpose  of  dieae 
mediods  is  to  gain  access  to  irJ'onnation  not  ordinarily  available  to  "outsiders,"  questions  of  privacy  arise.  (Similar  issuet 
■bout  obtaining  information  not  intended  to  be  disclosed  can  be  raised  about  many  other  forms  of  research  diat  involve 
dacaptloiL) 

$ev«nl  factors  may  be  relevant  to  an  IRB's  evahiation  of  such  privacy  questions.  One  is  die  extent  to  which  the  behavior  in 
qoeatioB  is  public.  Covert  observation  of  public  behavior  (e.g.,  observing  pedestrians  on  the  street)  raises  little  if  any  concern 
WOOt  privacy;  concealed  observation  of  people  in  their  homes  would  be  quite  aoodier  matter.  Some  behavior  that  occurs  in 
public  places  may  not  really  be  public  behsvior  C  the  individuals  involved  have  a  reasonable  expectation  of  privacy. 
Reaeaich  involving  covert  recording  of  conversations  in  public  parks  or  filming  of  activities  in  public  rest  rooms  clearly 
xaiacs  invasion  of  privacy  questions.  Observational  studies  in  quasi-public  places  {e.g.,  hospital  emergency  rooms  or  state 
maottl  hospital  wards)  may  also  raise  such  concerns. 

A  question  acmetimes  raised  about  die  use  of  covert  observation  in  research  is  whedier  an  ethical  issue  exists  if  the  subjects 
never  become  aware  of  the  invasion  of  privacv.  That  is,  if  subjects  are  never  aware  that  their  behavior  has  been  observed  or 
recorded  for  reiearch  purposes,  they  can  hardly  feel  cmbairassed,  guilty,  or  iat  their  nghts  have  been  violated.  On  die  other 
hand,  it  can  bo  argued  that  an  invasion  of  privacy  is  wrong,  whedier  or  not  the  subjects  are  ever  aware  of  it  In  some  cases, 
mbjecta  may  inadvertcndy  leam  of  their  invotvement  in  the  research,  perhaps  when  the  study  is  published,  and  feel  diat  they 
have  been  haimed. 

Most  observational  research,  except  diat  involving  children  and  minors,  is  exaapt  from  federal  regulations.  For  smdiea 
involving  adults,  ctirrcnt  rogations  require  IRB  review  only  for  die  most  risky  observational  investigations  C  those  in  which 
two  conations  exist:  (1)  the  observations  are  recorded  in  a  mannw  that  allows  die  subjects  to  be  identified,  direcdy  or 
dmragh  identifiers  linked  to  them;  and  (2)  die  observations  recorded,  if  they  became  Imown  outside  the  research,  could 
xcaaonably  place  die  subject  either  at  risk  of  criminal  or  civil  liability  or  cause  damage  to  die  subject's  financial  standing, 

eiqjloyabihty ,  or  reputation  [Federal  Policy  §  .  1 0 1  (b)(2)].  Clearly,  in  such  studies  one  of  die  IRB's  major  concerns  should 

be  to  determine  if  it  is  necessary  to  record  information  in  a  way  that  entails  such  risk,  and,  if  so,  whether  ttie  provisions  for 
maintaining  coiLfidentiality  of  the  data  are  adequate.  Observational  research  involving  children  and  minors  must  be  reviewed 
by  the  IRB  unless  die  research  iirvolves  observations  of  public  behavior  when  the  investigator(s)  do  not  participaee  in  the 
activities  being  observed;  IRfi  review  ia  also  required  where  the  two  conditions  described  above  obtain  (i.e.,  identifleis  will 
be  recorded  and  die  observations  could  place  the  subjects  at  risk). 

Confidentiality  of  Research  Data.  A  major  set  of  concerns  about  confidentiality  pertains  to  die  methods  used  to  ensure  that 
informatioa  obtained  by  leseaicbers  about  dieir  tobjects  is  not  is^roperiy  divulged.  Perhaps  because  die  creation  and 
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haadlin|  of  confidential  records  it  routine  is  medical  instilutioiu,  discuasions  of  confidentiality  as  a  special  er&ical 
responsibility  of  researchers  have  been  more  prominent  in  dte  social  sciences  dun  in  die  biomedical  sciences.  Neverdialess. 
±e  need  for  confidentiality  exists  in  virtually  all  studies  in  which  data  are  collected  about  identified  subjects.  It  is  m  the 
interest  of  researchers  C  and  essential  to  die  conduct  of  research  on  sensitive  topics  C  dut  researchers  be  able  to  offer 
subjects  some  assurance  of  confidentiality.  These  assurances  should  be  given  honest^,  -vbick  sometimes  requires  die 
researcher  and  die  IRB  to  make  explicit  provisions  for  preventing  breaches  of  confidentiality. 

In  most  research,  assuring  confidentiality  is  only  a  matter  of  following  some  routine  practices:  substituting  codes  for 
identifiers,  removing  face  ^eets  (contaiiking  such  items  as  names  and  addresses)  from  survey  instruments  containing  data, 
properly  disposing  of  computer  sheets  and  odier  papers,  limiting  access  to  identified  data,  impressing  on  die  reseanm  staff 
Ike  inq>ortaQce  of  confidentiality,  and  storing  research  records  in  locked  cabinets.  Most  researchers  are  fiuniHar  with  the 
routine  precaunons  that  should  be  taken  to  maintain  the  confidentiality  of  data.  More  elaborate  procethnxa  may  be  iteeded  in 
some  studies,  eidier  to  give  subjects  the  confidence  they  need  to  participate  and  answer  questions  honestly,  oi  to  enable 
researchers  to  offer  strong,  truMiil  assurances  of  confidentiality.  Such  elaborate  procedures  may  be  partictdarly  necessary 
for  studies  in  which  data  are  collected  on  sensitive  matters  such  as  sexual  behavior  or  criminal  activities. 

In  studies  where  subjects  are  selected  because  of  a  sensitive,  stigmatizing,  or  illegal  characteristic  {eg.,  persons  who  have 
sexually  abused  children,  sought  treatment  in  a  drug  abuse  program,  or  who  have  tested  positive  for  HIV),  keeping  die 
identity  of  pardcipantfi  confidential  may  be  as  or  more  important  dian  keeping  die  data  obtained  about  die  partic^ants 
confidential.  Is  such  instances,  any  written  record  linking  subjects  to  die  study  can  create  a  dveat  to  confidentiality.  Having 
the  subjects  of  &ese  studies  sign  consent  forms  may  increase  the  risk  of  a  breach  of  confidentiality,  because  the  consent  form 
itself  constitutes  a  record,  complete  widi  signature,  that  identifies  particular  mdividuals  of  the  group  studied.  The  Federal 
Policy  allows  IRBs  to  waive  the  requirement  for  die  investigator  to  obtain  a  signed  consent  form  where  it  will  be  the  onlv 
record  linking  subjects  to  die  research,  and  where  a  breach  of  confidentiality  presents  ^  principal  risk  of  hann  diat  might 

result  D^om  the  research  [Federal  Poli^  §  -1 17(c)].  FDA  regulations  allow  IRBs  to  waive  die  signed  consent  form 

requirement  only  when  die  research  presents  no  more  than  minimal  risk  and  involves  procedures  that  do  not  normally  require 
conacnt  when  performed  outside  die  research  context  [21  CFK  56.109(c)].  If  bofli  FDA  regulations  and  die  Federal  Policy 
apply  to  a  protocol,  the  IRB  must  meet  die  requirements  of  bodi.  In  this  instance,  dooumcntation  of  informed  consent  can  be 
waived  only  if  die  consent  fonn  is  the  sole  record  linking  subjects  to  die  research,  the  research  involves  minimal  risk,  breach 
of  confidentiality  is  the  principal  risk  of  harm  and  die  procedure  involved  in  die  research  is  one  that  does  not  normally 
require  consent  when  perforrned  outside  the  resesrch  context.  (Note  diat  the  foregoing  waiver  provisions  apply  to 
documentation  of  informed  consent  and  not  waiver  of  the  requirement  to  obtain  mfotmsd  consent) 

Where  data  are  being  collected  about  sensitive  issues  (such  as  illegal  behavios,  alcohol  or  drug  use,  or  sexual  praeticM  or 
prefareoces)  protection  of  confidentiality  consists  of  more  dian  preventing  accidental  disclosures.  There  have  been  innanres 
where  the  idoitities  of  subjects  or  research  data  i^out  particular  subjects  have  been  sought  by  law  enforcement  agendea, 
sometimes  under  subpoena,  and  with  the  direat  of  incarceration  of  the  uncooperative  researcher.  Under  federal  law  (and 
some  ftata  laws),  researcheis  can  obtain  an  advance  grant  of  confidentiality  diat  will  piovide  protection  even  against  a 
subpoena  for  research  data  [Public  Health  Service  Act  §301(d)].  Aldunigh  regulations  inqilementing  §301(d)  at  not  in  place 
as  of  duB  wilting,  the  PHS  has  issued  on  Interim  Policy  Statement  [abo  called  die  "Interim  Guidance"  (May  22,  1989)]  diat 
sets  fordi  PHS  policy  exercising  the  its  authority  to  grant  certificates  of  confidentiality.  Section  301(d)  extends  to 
"biomedical,  behavioral,  clinical,  or  other  research"  on  earlier  authority  (in  '303  of  die  Public  Health  Service  Act)  diat  was 
available  only  for  "reaearch  on  mental  healdi,  including  research  on  the  use  and  effect  of  alcohol  and  other  psychoactive 
drugs." 

To  take  advantage  of  §301  (d).  the  investigator  must  request  a  grant  of  confidentiality  from  the  appropriate  official 
Protection  for  research  on  mental  disorders  or  die  use  and  effects  of  alcohol  and  other  psychoactive  orugs  can  be  obtained 
firom  die  National  Institute  on  Alcohol  Abuse  and  Akoholism  (NIAAA),  die  National  Institute  on  Drug  Abuse  (NIDA).  or 
die  National  Institute  of  Menial  Healdi  (NIMH),  vMch,  in  1991,  became  components  of  NIH.  Certificates  of  eonfidratiality 
for  biomedical,  behavioral,  clinical,  or  other  research  diat  docs  not  fall  into  these  categories  are  issued  by  die  Assistant 
Secretary  for  Health.  Protection  is  available  fon  (1)  direct  federal  activities  {ie.,  intrammal  research);  (2)  federally-funded 
activities;  and  (3)  research  in  the  United  States  that  has  no  federal  fimding  Under  the  Interim  Policy,  protection  will  be 
granted  "sparingly,"  and  only  "when  the  research  is  of  a  sensitive  nature  where  the  protection  is  judged  necessary  to  achieve 
the  research  objectives."  Tlie  Pohcy  defines  "sensitive''  research  as  involving  the  collection  of  information  falling  into  any  of 
the  following  categories: 

(a)  Information  relating  to  sexual  attitudes,  preferences,  or  practices; 

(b)  Information  relating  to  the  use  of  alcohol,  drugs,  or  other  addictive  products; 

(c)  Information  pertaining  to  illegal  conduct; 

(d)  Information  that  if  released  could  reasonably  be  damaging  to  an  individual's  finanrii^i  standing,  employability,  or 
reputation  within  die  community; 

(e)  Information  diat  would  normally  be  recorded  in  a  patient* s  medical  record,  and  die  disclosure  of  which  could  reasonably 
lead  to  social  stigmatization  or  disoimtnation; 

(f)  Information  pertaining  to  an  individual's  psychological  well-being  or  mental  healdt 


55 


Information  in  other  categoriei,  not  listed  here,  nnght  also  be  zcnsidend  ««nanve  because  of  specific  cultunl  or  other 
fectors,  and  protectioo  can  be  granisd  in  such  asts  upon  appropriate  justification  and  expUnation- 

Additianal  policy  consideration  apply  to  research  that  involves  the  collection  of  data  that  relates  to  coinmuaicable  diseaaes. 
The  Aisjatant  Secretanr  for  Health  has,  therefore,  issued  a  flrthcr  PHS  poacy  on  the  panting  of  certificatea  of  confidentiality 
to  projects  that  "intend  routindy  to  determiae  whether  ita  jubjects  have  connnunicabie  diseases  and  taat  are  required  to 
report  them  iicder  State  law"  [Memorandum,  Jszaes  0.  Meson,  "CertiCcatei  of  ConfidennalityC  Diseaie  Reporticg,"  Aurat 
9,  1991].  CertiScates  will  be  issued;  (1)  where  tiie  refeiring  tsatiag  physicians  aaanre  the  project  that  liey  have  cotaplieo 
■widi  repotting  requircmsnts;  or  (2)  where  diere  u  no  referring  ptyiicua,  the  investigaujr  has  reached  an  agreement  wife  the 
health  aepartmetit  about  how  he  or  she  will  cooperate  with  the  department  to  help  seive  the  purpoaea  of  the  reporting 
requiremcnlB  (tmless  the  investigator  can  ahow  wby  such  cooperanon  is  preclud^);  and  (3)  only  where  disclosurea  of 
identifiable  infonnfltioc  about  subjects  comply  with  regulations  on  subject  protection  and  are  explained  clesily  to  subjects 
prior  to  flieir  participation. 

For  fiirtiier  infonnatiOT  concerning  PHS  certificates  of  coafidentulity  under  '301(d)  of  the  Public  Health  Savice  Act  and  the 
jptf-rim  Qaidance,  contact: 

Ma.  Ol^a  Bolkeas 

National  Instituta  of  Mental  Health 
17C-02  Parklawn  Building 
5600  FUhenLane 
Rockrflle,  MD  20857 
Tel:  (301)  443-3877 

In  addition  to  certificatea  of  confidentiality  available  und«  §30I(d),  the  U.S.  Attorney  Qenerai  is  sutiiorized  to  grant 
protection  for  research  concerning  drug  aSuae  under  ±c  Controlled  Substance  Art  For  more  information  write  to  the  Drug 
Enforeeroeni  Adminiatratian,  14501  I  St,  N.W..  Washington.  D.C.  20537. 

For  studies  is  which  die  data  to  be  obtained  concern  illegal  or  rdgmatizag  activities  but  which  are  not  eligible  for  these 
statutory  shields  againat  lubpoena,  carefiil  attention  should  be  givo:  to  a  senes  of  decisioiis  related  to  confidentiality:  (1) 
whether  the  researeher  wiE  record  subject  ideatifien  at  aE  (inch:dmg  on  conaeai  forms);  (2)  if  identifien  are  to  be  coDocted, 
whether  they  will  be  retamed  after  the  data  are  coded;  (3)  if  identifiers  are  not  destroyed,  how  are  they  to  be  marntaTred^  and 
(4)  what  rubjocts  should  be  told  about  these  matter?  as  part  of  the  ziformed  conaent  process.  Some  researchers  enlist  a  third 
party  (sooQctiinea  in  another  country)  to  act  as  a  custodian  of  keys  to  coded  identifiers  or  lists  of  participants.  Tins  approach 
may  provide  some  protection  for  the  data,  but  may  expose  4e  researcher  to  legal  risks  VrTiere  such  steps  arc  contemplated, 
tnvcstigatcn  should  seci-  competent  legal  advice  regarding  the  advisability  of  sas±  arrangements. 

Qeariy,  different  types  of  itudiea  entail  different  confidentiahty  problems.  A  variety  of  methods  for  protecting 
confidentiality  are  available  for  difiereol  situations,  tnchiding  situations  in  whidi  there  is  a  danger  of  dedurtive  identification 
of  otbarwisc  anonymous  tubjeas  on  the  basis  of  separate  elements  of  data  (e  g.,  birthdate,  occupation,  and  zap  code).  A 
tobatastial  and  highly  specialized  literature  has  developed  on  methods  for  safeguarding  confidentiality.  Among  the  aveHabie 
metiiods  for  aaruriag  confidentiality  are  statistical  techniques  and  physical  or  camputenzed  methoda  for  marntatni-ng  tiia 
security  of  stored  data.  The  meat  sensitive  the  data  being  collected,  tie  more  nnportant  it  is  for  the  researcher  and  the  IRB  to 
be  familiar  with  the  state  of  die  art  m  protecting  confidentiality. 

IM  CONSIDERATIONS 

Pltracy.  In  reviewing  scanc  protocola,  an  IRB  may  have  to  consider  whether  as  invasion  of  pnvacy  ia  involved.  No  ready 
and  clear  criteria  are  available  for  evaluating  this  question.  IRBs  must  base  decisioas  on  their  members'  sense  of  propriety 
aad  the  particular  circumstances  of  the  study.  Among  die  relevant  factors  are:  the  private  nature  of  the  infoimaiion  sougla, 
the  KkeChood  the  subj  ects  would  regard  the  release  of  infoimatiQc  as  an  invasion  of  pdvacy,  the  importance  of  the  research, 
■ad  &e  availahility  of  alternative  ways  to  do  the  study. 

MnA  research  in  which  privacy  concenu  may  be  relevant  will  not  necessarily  come  to  the  attention  of  the  IRB.  Under 
federal  regulationa,  IRBs  need  not  even  review  proposed  research  involving  observation  unless  someone  the 
investigator  or  department  head)  determiQes  that  it  Mis  in  ±s  category  of  research  ±iat  reqi:ircs  IRB  review,  as  discussed 

above  [Federal  Policy  §-  .101(bX2)].  Some  institutions  review  all  observaticiial  research,  as  a  matter  of  policy,  to  ensure 

that  the  IRB  sees  those  few  protocols  for  which  review  is  required.  Although  the  Federal  Policy  exempts  mm  IRB  review 
most  research  involvmg  access  to  existing  records,  dan,  and  surgical  and  diagnoctic  specimens,  some  institctions  reqtiire 
review  of  the  protocols  to  assure  that  the  information  is  sought  for  a  legrtimaie  purpose  and  that  research  involving  a  record 
of  individually  ideaiifiable  infoossatioa  receive*  regular  IRB  review. 

Invettigalora  sometimes  want  access  to  (BL'trir.g  records  to  identify  people  suitable  for  inclusion  m  a  study.  If  the  subjects' 
names  will  be  recorded  by  the  investigator  for  follow-up  (either  for  fur±er  record  reviews  or  for  personal  contact),  this 
research  requires  IRB  review.  In  such  instances,  the  IRB  must  detennme  whether  the  consent  of  subjects  should  be  sought 
(e.g-.,  by  the  insnmtion  holdmg  the  records)  before  the  researcher  gains  access  to  the  records.  Factors  to  consider  in  deciding 
if  conaeTn  must  be  sought  inchjde  the  scnaitvity  of  the  informaticn  to  be  reviewed,  the  vulnerability  of  the  subject 
population,  and  3ie  purpoae  for  ^^^h  the  investigator  wants  access  lo  the  information.  The  Buckley  Amendment  [the 
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Genenl  Education  Provisions  Act  (20  USC  1232)]  requiies  parental  consent  for  release  of  records  or  identifiable  information 
Aoai  children  in  public  schools;  instructional  materials  to  be  used  in  connection  widi  any  research  or  experimental  piogram 
must  be  open  to  inspection  by  the  parents  or  guardians  of  die  children  to  be  involved. 

Protection  of  ConfldentiaUty.  When  information  linked  to  individuals  will  be  recorded  as  part  of  the  research  design,  IRBs 
should  assure  that  adequate  precautions  will  be  taken  to  safeguard  the  confidentiality  of  the  information.  Sensitive 
information  is  sometimes  obtained  in  Oie  course  of  behavioral  research,  research  witii  the  cognitively  impaired,  AIDS 
research,  and  research  dealing  widi  drag  and  alcohol  abuse.  Various  specialized  security  medioda  have  been  developed  to 
maintain  die  confidentiality  of  such  infoimatioiL  IRBs  that  review  research  in  which  confidentiality  of  data  is  important 
should  have  at  least  one  member  (or  consultant)  familiar  with  the  strengths  and  weaknesses  of  the  different  mechanisms 
available,  including  the  statutory  shields  against  subpoena  that  are  available.  IRBs  should  also  be  aware  of  the  regulatory 
provision  for  waiving  documentation  of  consent  when  a  signed  consent  form  would  itself  consiioite  a  risk  to  the  subjects 
[Federal  Policy  §  .  1 1 7(c)(  1 )]. 

Finally,  IRBs  should  be  aware  that  federal  officials  have  the  right  to  mspect  research  records,  including  consent  forms  and 
individual  medical  records,  to  ensure  conqiliance  with  die  rules  and  standards  of  their  programs.  FDA  rules  require  that 
infoxmatioa  regarding  this  authority  be  included  on  the  consent  forms  for  all  research  rcgiJated  b)'  that  agency;  tite  Federal 
Policy,  which  qiplies  to  DHHS,  and  FDA  regulations  require  that  subjects  be  informed  of  the  extent  to  which  confidentiality 

of  research  records  can  be  naaintained  [Federal  Policy  §  .  1 16(aX5);  21  CFR  50.25(bX5)].  Identifiable  information 

obtained  by  federal  officials  during  such  inspections  is  protected  by  die  provisions  of  the  Privacy  Act  of  1974. 

POINTS  TO  CONSIDER 

1.  Does  the  research  involve  observation  or  intrusioa  in  situations  where  the  subjects  have  a  reasonable  expectation  of 
privacjr?  Would  reasonable  people  be  ofTended  by  such  an  intrusion?  Can  die  research  be  redesigned  to  avoid  the  intrusion? 

2.  If  privacy  is  to  be  invaded,  does  the  importance  of  the  research  objective  justiiy  the  intrusion?  What  if  anything,  will  Uie 
subject  be  told  later? 

3.  If  the  investigators  want  to  review  existing  records  to  select  subjects  for  further  study,  whose  peimiGsion  should  be  sought 
for  access  to  fhoac  records  (the  physician,  the  instimtion  mainlaimng  the  records,  die  subjects)?  How  should  the  subjects  bie 
approached  (through  their  physician,  the  medical  records  department,  die  institution)? 

4.  Will  the  investigator(8)  be  collecting  sensidve  information  about  individuals?  If  so,  have  diey  made  adequate  proviaioni 
fox  protecting  the  confidentiality  of  the  data  dirough  coding,  destraction  of  identifying  information,  limiting  access  to  the 
data,  or  whatever  methods  that  may  be  appropnate  to  die  study?  If  the  information  obtained  about  subjects  might  interest  law 
enforcement  or  other  government  agencies  to  die  extent  that  ^ey  might  demand  personally  identifiable  iofonoation,  can  a 
grant  of  confidentiality  be  sought  from  a  federal  or  state  agency  to  protect  the  research  data  and  die  identity  of  &e  subjects 
from  subpoena  or  odier  legal  process? 

5.  Are  the  investigator's  disclosures  to  subjects  about  confidentiality  adequate?  Should  documentation  of  consent  be  waived 
in  order  to  protect  confidentiality? 

AFPUCABLE  LAWS  AND  REGULATIONS 

The  Public  Heatdi  Service  Act  r§301(d)}  permits  the  Secretary,  HHS,  to  authorize  persons  conducting  biomedical  and 
bdiBvioral  research  to  protect  the  privacy  of  subjects,  even  against  subpoena.  Persons  so  authorized  may  not  be  con^elled  to 
testify  in  any  federal,  state,  or  local  civil,  criminal,  admmistrative,  legislative,  or  other  proceedings.  Regulations  that  predate 
{301(d)  and  dut  are  used  for  guidance  in  iiiq>leinentiQg '301(d)  for  research  relating  to  mental  heal&  (includiQg  alcohol  and 
drug  aVose)  are  published  at  42  CFR  2A.  The  "Interim  Policy  Statement"  on  protection  of  identity  of  research  subjects  dated 
May  22. 1989.  gets  forth  the  policy  of  the  PHS  in  accordance  with  §301  (d). 

The  Controlled  Substance  Act  (21  USC  872)  permits  die  U.S.  Attorney  General  to  authorize  persons  conducting  educational 
or  research  programs  concerning  drug  abuse  to  withhold  the  names  and  other  identiiying  characteristics  of  the  subjects  of 
such  research.  This  provision  is  implemented  by  FDA  regulations  pubhshed  at  2 1  CFR  1 3 1 5 .2 1 . 

The  Buckley  Amendment  to  die  General  Education  Provisions  Act  (20  USC  1232)  requires  parental  permission  for  access  to 
records  or  identifiable  information  of  children  in  public  schools. 

Hie  Privacy  Act  of  1974  [5  USC  S52(a)]  prohibits  federal  agencies  from  disclosing  records  maintained  in  a  system  of 
records  to  any  person,  widi  certain  exceptions,  or  other  agency  except  upon  a  written  request  by,  or  widi  die  prior  written 
consent  of,  die  individual  to  whom  the  record  pertains. 

The  Freedom  of  Information  Act  (S  USC  SS2)  exenqits  information  such  as  medical  or  persoimel  records  the  disclosure  of 
which  would  constitute  a  clearly  unwarranted  invasion  of  personal  privacy  from  mandatory  release  by  federal  agencies. 

Federal  Policy  §  A01(b)(2)  [To  ■wdiat  does  this  policy  apply?] 

Federal  Policy  §  .  1 0 1  (b)(4)  [To  what  does  tiiis  policy  apply?] 

Federal  Policy  §     .  1 1 5(aX5)  [HIB  records] 
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Dr.  KOSKI.  Many  of  these  studies  involve  minimal  risks,  and 
these  can  be  approved  through  expedited  review  procedures.  At  in- 
stitutions with  an  appropriately-staffed  human  research  office,  the 
process  requires  no  more  than  a  few  days.  This  is  a  very  small 
price  to  pay  for  a  process  that  has  effectively  protected  the  privacy 
interests  of  research  subjects  for  more  than  two  decades  and  has 
allowed  this  work  to  proceed  in  a  responsible  fashion. 

Yes,  it  would  be  easier  and  quicker  to  do  this  research  without 
restrictions  and  without  oversight.  But  let  there  be  no  mistake — 
if  we  fail  to  protect  the  privacy  of  the  individuals  who  are  the  sub- 
jects of  this  research,  there  will  be  a  further  erosion  of  confidence 
in  the  system,  and  this  will  inevitably  lead  to  more  restrictions, 
and  this  indeed  will  bring  such  research  to  a  standstill. 

While  I  generally  support  the  Secretary's  proposed  regulations 
regarding  research  uses  of  personal  health  information,  I  do  have 
one  concern.  The  proposal  to  allow  privacy  boards  to  oversee  such 
research  in  lieu  of  IRBs  establishes  a  separate  but  not  equal  path- 
way that  will  allow  such  research  to  circumvent  the  IRB  process. 
While  it  seems  perfectly  reasonable  to  me  to  allow  an  institution 
that  does  not  have  a  significant  research  volume  or  does  not  have 
an  IRB  to  constitute  such  a  privacy  board  and  to  allow  that  board 
to  rely  upon  the  IRB  review  from  another  institution,  I  believe  that 
all  human  research  must  be  reviewed  and  approved  through  an  ap- 
propriately constituted  IRB  under  the  pertinent  regulations. 

That  concludes  my  prepared  statement.  I  will  be  happy  to  ad- 
dress any  comments  or  questions  you  may  have. 

The  Chairman.  Thank  you.  Dr.  Koski. 

[The  prepared  statement  of  Dr.  Koski  follows:] 

Prepared  Statement  of  Greg  Koski,  M.D. 

Dear  Mr.  Chairman  and  members  of  the  committee:  Privacy  is  the  ability  to 
choose  what  information  about  oiirselves  and  our  activities  we  win  share  with  oth- 
ers. Confidentiality  is  the  process  through  which  we  demonstrate  respect  for  other's 
privacy.  The  people  of  this  country  reasonably  expect  that  their  privacy  be  re- 
spected, and  that  sensitive  personal  information  about  themselves,  whatever  the  na- 
ture of  that  information  might  be,  not  be  disclosed  to  others  without  their  authoriza- 
tion, except  in  specific  circumstances  where  there  is  compeUing  justification.  Even 
then,  identifiable  personal  information  should  be  disclosed  only  with  specific  provi- 
sions for  protecting  its  confidentiality. 

Health  information  is  arguably  among  the  most  sensitive  types  of  personal  infor- 
mation and  has  always  been  afforded  special  consideration  when  issues  of  privacy 
and  confidentiaUty  are  concerned.  The  extraordinary  scope  of  social  and  techno- 
logical change  in  our  health  care  system  over  the  past  two  decades  has  unavoidably 
and  irrevocably  changed  the  practice  of  medicine  and  the  business  of  health  care. 
With  this  change,  the  pubhc  has  become  increasingly  concerned  about  loss  of  auton- 
omy and  loss  of  privacy,  both  of  which  seem  now  to  occur  all  too  fi*equently. 

Pubhc  concerns  regarding  unauthorized  access  to  personal  medical  information 
arise  from,  and  are  substantiated  by,  misuse  and  abuse  of  information  obtained  dur- 
ing encounters  with  the  health  care  system.  Patients  seeking  health  care  services 
are  obligated  to  compromise  their  own  privacy  and  to  share  intimate  personal  infor- 
mation about  themselves  and  their  families  with  their  caregivers.  They  do  so  with 
an  expectation  that  their  information  will  be  used  only  for  the  intended  purpose  and 
only  by  those  who  need  this  information  to  provide  care  and  complete  the  necessary 
business  of  healthcare.  Far  too  often,  this  is  not  the  case. 

Not  surprisingly,  a  climate  of  mistrust  has  developed  in  which  patients  are  de- 
manding more  control  over  who  has  access  to  their  personal  information  and  how 
that  information  is  to  be  used.  Since  many  patients  do  not  understand  the  complex- 
ity of  our  health  care  system  and  the  growing  need  for  many  different  parties  to 
access  patient  information  in  the  course  of  their  jobs,  the  adverse  impact  that  broad 
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restriction  of  access  can  have  on  the  system,  and  the  quaUty  of  care,  is  not  well  ap-  i 
preciated.  | 

The  complex  issues  involved  in  providing  and  managing  health  care  while  respect-  | 
ing  the  privacy  of  individual  persons  and  protecting  the  confidentiality  of  personal  || 
health  information  have  received  much  attention.  Current  legislative  activity  per-  ' 
taining  to  these  issues  at  both  the  state  and  national  levels  reflects  to  a  large  degree 
the  growing  interest  among  our  citizens  and  the  entire  health  care  system  and  relat- 
ed industries  in  finding  effective  ways  to  achieve  these  goals. 

One  such  effort  is  that  of  the  Health  Privacy  Working  Group,  an  initiative  of  the 
Georgetown  University  Institute  of  Health  Care  Research,  which  released  its  rec- 
ommendations last  summer.  The  *best  principles'  set  forth  in  that  report  provide  a 
usefiil  fi-amework  for  development  of  specific  poHcies  for  effective  management  and 
use  of  personal  health  care  information  in  a  manner  that  is  well-reasoned  and  work- 
able. This  statement  of  principles  does  not,  however,  obviate  the  need  for  effective 
legislation  to  affect  necessary  change  and  introduce  appropriate  safeguards  for  pro- 
tection of  privacy  and  confidentiality  of  health  information. 

In  compliance  with  the  requirements  estabUshed  by  the  Congress,  the  Secretary 
of  the  Department  of  Human  Services  has  introduced  a  comprehensive  set  of  stand- 
ards and  rules  governing  privacy  of  personal  health  information.  In  her  previous  , 
testimony  before  Congress,  the  Secretary  has  set  forth  five  guiding  principles  that  ! 
underlie  the  proposed  rules.  These  include  boundaries,  consumer  control,  security, 
accoimtability  and  public  responsibility.  The  rules  include  many  important  provi- 
sions for  protection  of  individual  privacy,  including  a  requirement  that  all  persons, 
institutions,  agencies  or  other  entities  that  collect  personal  health  information  be  re- 
quired to  develop  formal  written  policies  and  procedures  for  use  of  such  information, 
and  that  patients  be  notified  and  informed  of  these  poUcies  and  their  rights. 

These  rules  appropriately  limit  access  and  disclosure  of  information  on  a  rigorous  i 
"need  to  know"  basis.  They  stipulate  that  information  should  only  be  collect^  and 
maintained  in  identifiable  form  when  necessary  and  appropriate,  and  that  it  should 
be  used  only  for  those  specific  purposes  for  which  it  was  intended  at  the  time  of 
collection  unless  there  is  appropriate  notification  and  authorization  for  other  uses. 
When  identifiable  information  is  no  longer  needed,  it  should  be  destroyed  or  ren- 
dered non-identifiable  after  a  reasonable  period  of  time  unless  there  is  a  compelling  | 
justification  for  keeping  it.  \ 

Those  who  have  crafted  the  proposed  rules  deserve  accolades  for  their  thoughtful  ! 
work,  as  many  of  the  provisions  could  provide  usefiil  solutions  to  some  of  the  con- 
cerns discussed  above.  Nevertheless,  there  are  aspects  of  the  rules  that,  in  my  opin- 
ion, could  be  improved.  I  will  first  offer  a  few  remarks  regarding  the  broader  aspects 
of  the  proposed  rules  before  focusing  on  those  parts  pertaining  to  appropriate  con- 
duct and  oversight  of  health  research,  an  area  in  which  I  can  claim  some  experience 
and  expertise  by  virtue  of  my  professional  activities  and  responsibilities. 

While  the  proposed  rules  are  really  the  first  comprehensive  approach  to  protection 
of  private  health  information,  they  are  ultimately  Hmited  in  scope  to  information 
that  has  been  recorded  or  transmitted  in  electronic  form,  leaving  an  important  gap 
in  the  protections  afforded  information  stored  in  other  media,  particidarly  paper 
records.  This  shortcoming  should  be  addressed  by  ensuring  that  the  rules  are  made 
appUcable  to  all  protected  health  information,  regardless  of  the  manner,  format  or 
mediimi  in  which  it  is  collected  or  maintained. 

For  clarity,  I  would  like  to  call  attention  to  the  definition  of  "de-identified"  health 
information  used  in  these  rules.  Personal  health  information  that  can  be  attributed 
to  the  individual  person  fi-om  whom  it  was  obtained  is  "identifiable".  Only  informa- 
tion that  cannot  be  attributed  to  its  source  is  "non-identifiable".  When  information 
is  Hnked  by  a  specific  code  number  to  an  individual,  even  if  all  other  specific  identi- 
fying information  has  been  removed,  that  information  may  have  been  "de-identi- 
fied", but  it  is  still  identifiable  and  special  precautions  must  be  taken  to  restrict  the 
use  of  that  information  in  ways  that  were  not  authorized  by  the  individuals  of  origin 
at  the  time  it  was  obtained. 

The  use  of  the  term  "de-identified"  in  the  proposed  rules  is  not  interchangeable 
with  the  definition  of  "non-identifiable"  information  set  forth  in  the  Federal  Regula- 
tions for  Protection  of  Human  Subjects  in  Research,  may  be  conftising  and  mislead- 
ing, and  will  be  viewed  by  many  as  being  deceptive,  intended  or  not.  Information 
is  either  identifiable  or  not;  these  are  mutually  exclusive.  Identifiable  information 
may  be  anonymous,  encrypted,  coded,  or  otherwise  de-identified  in  an  effort  to  offer 
protection  of  privacy  and  ensure  confidentiality,  but  it  is  stiff  identifiable.  Accord- 
ingly, special  protections  must  be  in  place  to  ensure  that  re-identification  does  not 
occur  without  first  carefiilly  considering  the  impact  that  doing  so  may  have  on  the 
individuals  whose  privacy  will  be  violated. 
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The  scope  of  "health  care  operations"  is  useful,  but  the  list  includes  certain  activi- 
ties, such  as  outcome  assessments,  that  frequently  overlap  the  research  domain, 
which  I  will  discuss  in  greater  detail  below.  Care  should  be  taken  to  insure  that 
this  does  not  provide  a  loop  hole'  for  individuals  to  circumvent  review  and  approval 
processes  of  Institutional  Review  Boards  (IRBs)  and  the  protections  such  review  can 
provide  for  individual  subjects  of  that  research. 

The  rules  include  provisions  for  disclosure  of  information  to  outside  third  parties 
for  a  variety  of  purposes.  As  a  general  rule,  any  and  all  releases  of  identifiable 
health  information  to  third  parties  outside  of  the  health  care  setting  in  which  it  was 
obtained  should  be  authorized  by  the  individuals  from  whom  the  information  was 
obtained.  Secondary  "re-disclosure"  without  specific  authorization  to  parties  further 
removed  from  the  primary  source/custodian  should  be  prohibited  and  punishable  by 
law. 

The  issue  of  pre-emption  of  state  law  has  received  great  attention.  The  Secretary 
has  estabUshed  that  there  is  a  need  to  establish  a  minimum  standard  under  federal 
law  for  protections  of  privacy  and  confidentiality  of  personal  health  information,  and 
that  it  is  not  the  intent  of  these  rules  to  undermine  or  limit  the  ability  of  States 
choosing  to  pass  more  stringent  leeal  protections  for  individual  privacy.  Indeed,  at- 
tempts to  preempt  legislation  at  tne  State  level  has  been  viewed  with  skepticism 
as  an  attempt  to  protect  special  interests  that  may  be  in  conflict  with  those  of  indi- 
viduals. 

Turning  to  the  provisions  for  access  to  personal  health  information  for  research, 
I  would  first  point  out  that  the  benefits  of  biomedical  research  to  both  society  and 
individuals  is  widely  acknowledged  and  very  highly  valued  bv  the  American  people. 
In  a  recent  national  survey,  nearly  90  percent  of  those  polled  indicated  strong  or 
very  strong  support  for  biomedical  research  activities  and  a  personal  interest  in  par- 
ticipating in  reseaich,  provided  they  could  be  assured  that  their  interests  and  well- 
being  were  protected.  There  is  a  long  and  very  productive  tradition  of  using  medical 
records  ana  other  forms  of  health  information  for  research  purposes  in  this  country, 
and  such  uses  have  rarely  resiilted  in  breaches  of  confidentiality.  The  American  peo- 
ple have  been  very  willing  to  accept  this  exception  to  absolute  privacy  of  their  medi- 
cal information,  provided  the  information  is  handled  in  a  confidential  manner.  The 
rules  proposed  by  the  Secretary  recognize  this,  and  appropriately  allow  for  access 
to  protected  health  information  for  research  purposed  without  individual  authoriza- 
tion fi-om  patients,  but  only  with  appropriate  oversight. 

We  are  very  fortunate  to  have  in  place  in  this  country  a  system  for  protection  of 
human  subjects  in  research,  including  federal  laws  that  mandate  oversight  of  re- 
search by  duly  constituted  Institutional  Review  Boards.  This  system,  in  which  I  am 
a  proud  and  active  participant,  already  reviews  and  approves  most  of  the  biomedical 
research  conducted  in  this  country,  including  research  that  reUes  upon  uses  of  per- 
sonal health  information.  The  challenges  faced  by  the  IRBs  are  considerable,  but 
overall,  it  is  clear  that  since  the  IRB  system  was  developed  two  decades  ago,  bio- 
medical research  involving  human  subjects  has  flourished  and  reports  or  serious 
abuses  are  infi-equent.  Even  as  this  Committee  considers  new  rules  to  enhance  pro- 
tections for  patients'  privacy  and  confidentiaUty  of  health  information,  steps  are 
being  taken  to  strengthen  the  IRB  system  to  make  it  even  more  effective.  I  strongly 
support  these  actions,  and  beUeve  that  the  IRB  process  can  and  must  play  an  inte- 
gral role  in  oversight  of  all  research  involving  health  information. 

I  further  support  current  efforts  to  bring  all  research  involving  human  subjects, 
as  defined  in  federal  regulations,  under  the  "Common  Rule"  (45  CFR  46,  as  amend- 
ed), and  to  develop  a  process  to  credential  IRBs  and  health  researchers  as  a  fiirther 
step  toward  strengthening  the  system  for  protection  of  human  research  subjects. 
While  existing  rules  and  regulations  offer  the  IRBs  and  investigators  guidance  in 
the  use  of  personal  health  information,  more  specific  guidance  should  be  promul- 
gated to  address  issues  of  informed  consent,  uses  of  identifiable  versus  nonidentifi- 
able  information,  and  specific  mechanisms  for  protection  of  confidentiality. 

I  remain  troubled  by  one  provision  of  the  proposed  rules  that  would  allow,  in  some 
unspecified  cases,  a  'privacy  board'  to  be  substituted  for  an  IRB  in  the  approval 
process  for  research  involving  protected  health  information.  As  currently  proposed, 
such  privacy  boards  could  be  used  as  a  means  of  avoiding  IRB  review,  and  could 
result  in  a  lesser  standard  for  review  of  research  involving  private  health  informa- 
tion than  for  other  kinds  of  human  research.  This  approach  could  fiu1;her  fi-agment 
the  process  for  review,  approval  and  oversight  of  human  research  at  that  very  mo- 
ment when  unification  of  the  process  under  a  single  new  federal  Office  for  Human 
Research  Protection  is  about  to  be  realized.  This  would  be  an  error,  and  this  poten- 
tial loophole  should  be  closed. 

In  some  cases,  it  may  be  appropriate  for  institutional  "privacy  committees"  to 
oversee  access  to  personal  health  information  at  institutions  that  do  not  have  suffi- 
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cient  research  volume  to  justify  an  IRB,  but  in  those  cases,  the  research  should  first 
be  reviewed  and  approved  by  an  IRB  constituted  under  the  "Common  Rule"  accord-  \ 
ing  to  specific  giiidelines  for  research  access  to  private  health  information.  In  large  j 
institutions  and  in  the  growing  number  of  academically-based  integrated  health  care  i 
systems,  of  which  the  Partners  HealthCare  System  (Boston,  MA)  is  an  example,  the  ' 
co-existence  and  close  association  of  such  privacy  committees  and  IRBs  afford  com- 
pleteness and  consistency  in  pohcies  and  procedures  for  access  to  personal  health 
information  that,  at  least  in  our  case,  has  proven  to  be  very  beneficial  and  effective. 

There  are,  of  course,  those  who  will  decry  enhanced  privacy  protections  as  impedi- 
ments to  the  research  process.  They  claim  that  stronger  privacy  protections  win 
make  it  impossible  to  do  research.  In  fact,  exactly  the  opposite  is  true.  The  pubUc 
has  so  far  been  wilUng  to  allow  research  uses  of  their  private  information  to  proceed 
because  there  have  been  strong  protections  by  IRBs  and,  thankfiilly,  few  abuses  of 
this  privilege  by  the  research  community.  As  biomedical  research  increasingly  de- 
pends upon  access  to  more  personal  health  information,  and  to  genetic  information, 
information  that  is  intensely  personal  and  sensitive,  as  well  as  predictive,  society 
will  demand  that  privacy  protections  be  strengthened,  and  if  we  fail  to  meet  those 
expectations,  we  will  find  that  the  credibility  of  our  research  endeavors  are  further 
undermined  by  the  ever  intensifying  crisis  of  confidence  that  we  are  currently  fac- 
ing. Strengthening  protections  for  himian  subjects  and  for  privacy  of  health  informa- 
tion actuaUy  facilitates  our  research  mission. 

As  information  technology  and  electronic  medical  records  systems  play  an  ever 
growing  and  important  role  in  modem  health  care  and  research,  every  practicable 
effort  should  be  made  to  take  advantage  of  new  tools  and  methodologies  of  informa- 
tion science  to  enhance  protection  of  sensitive  information  and  patient  privacy  while 
concurrently  improving  accessibiUty.  Indeed,  new  approaches  to  electronic  security 
and  high-level  encryption  technologies  can  actually  be  used  to  strengthen  protection 
of  our  privacy,  but  this  will  only  happen  if  there  are  appropriate  iioles,  incentives, 
and  resoiirces  to  catalyze  development  and  implementation  of  such  technologies. 

In  closing,  I  would  Uke  to  thank  you,  Mr.  Chairman,  and  all  of  the  members  of 
the  committee  for  this  opportunity  to  express  my  views. 

The  Chairman.  Mr.  Houston,  in  your  written  testimony,  you 
mention  the  need  to  better  define  what  is  de-identified  information 
and  use  the  Dartmouth  Atlas  of  Health  Care  as  an  example  of 
using  aggregate  information.  Can  you  speak  for  a  moment  on  the 
difficulty  of  producing  such  a  document  while  in  compliance  with 
the  proposed  regulations? 

Mr.  Houston.  I  am  sorry,  Senator,  I  did  not  hear  the  very  first 
part  of  your  question.  I  am  sorry. 

The  Chairman.  In  your  written  testimony,  you  mention  the  need 
to  better  define  what  is  de-identified  information  and  use  the  Dart- 
mouth Atlas  of  Health  Care  as  an  example  of  using  aggregate  in- 
formation. Can  you  speak  for  a  moment  on  the  difficulty  of  produc- 
ing such  a  document  while  in  compliance  with  the  proposed  regula- 
tions? 

Mr.  Houston.  Simply,  I  think — and  the  American  Hospital  Asso- 
ciation can  provide  additional  information— but  I  think  the  issue  is 
at  what  level  do  you  de-identify  information  and  what  level  is  con- 
sidered compliant.  And  I  think  the  issue  really  comes  down  to  you 
want  to  be  able  to  make  full  use  of  the  information  while  protecting 
the  privacy  of  patient  information,  and  in  a  lot  of  cases,  you  may 
be  frustrated  in  trjdng  to  use  any  information  for  fear  you  are 
going  to  go  well  beyond  the  bounds  or  beyond  the  bounds  of  what 
the  rules  permit  you  to  do. 

So  I  guess  it  is  a  matter  of  how  much  can  you  de-identify,  and 
is  there  any  use  past  that  if  you  do  de-identify  it.  Again,  taking  in- 
formation  such  as  ZIP  Code,  birth  date,  things  like  that,  you  may 
end  up,  if  you  take  out  too  much  information,  making  it  useless  for 
analysis. 
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The  Chairman.  Some  groups  have  commented  with  respect  to 
the  minimum  necessary  standard  that  the  burden  should  be  on  the 
person  requesting  the  information,  not  the  one  giving  the  informa- 
tion. Does  this  make  sense  to  you,  or  do  you  beheve  the  entire  con- 
cept of  minimum  necessary  is  flawed? 

Mr.  Houston.  I  think  that  is  a  good  compromise.  Clearly,  I  think 
there  needs  to  be  a  justification  for  the  information  requested.  I 
think  that  clearly,  if  you  look  at  the  potential  scope  of  what  a  medi- 
cal record  or  identifiable  patient  information  can  be,  it  is  quite 
broad.  Within  the  health  system  today,  the  UPMC  Health  System, 
we  have  information  at  physician  offices,  at  individual  community 
hospitals,  and  at  our  primary  specialty  hospitals,  so  there  is  an 
enormous  amount  of  information  in  a  lot  of  different  forms,  a  lot 
of  different  mediums. 

I  think  that  by  requiring  them  to  scope  what  they  need  is  very 
helpful  for  us,  and  provide  some  type  of  justification  potentially  to 
allow  us  to  understand  what  the  purpose  of  their  use  is  and  wheth- 
er it  is  justified.  But  at  least  for  internal  business  purposes  or  for 
patient  care  purposes,  the  concept  of  minimum  necessary  is  very 
problematic.  A  lot  of  times,  though,  it  is  very  difficult  to  under- 
stand exactly  what  you  do  need  in  order  to  deliver  care.  I  think 
that  is  the  basis  for  our  greatest  concern,  that  you  do  not  want  to 
tie  the  hands  of  somebody  who  is  trying  to  deliver  effective  care  by 
trying  to  determine  what  is  necessary  for  them  in  order  to  deliver 
that  care. 

The  Chairman.  Finally,  could  you  clarify  for  me  your  position  on 
preemption?  Is  it  fair  to  say  that  you  support  full  preemption  of 
State  law  with  the  exception  being  the  area  of  law  enforcement? 

Mr.  Houston.  I  think  that  preemption  is  something  where  we 
need  to  have  a  single  common  standai'd.  The  UPMC  Health  System 
has  practices  and  clinics  in  multiple  States  as  well  as  in  hospitals 
in  Pennsylvania.  I  think  the  issue  is  that  we  need  to  have  clear 
guidance  on  what  set  of  standards  we  need  to  apply. 

Clearly,  if  there  is  true  Federal  preemption,  that  is  very  helpful 
to  us.  In  the  alternative,  if  there  is  not  preemption,  I  think  some- 
body needs  to  be  very  clear  to  us  as  to  what  preempts  what  and 
what  standards  to  apply  when.  I  think  that  has  to  occur  through 
the  Department  of  Health  and  Human  Services,  or  Federal  preemp- 
tion is  in  my  mind  required. 

The  Chairman.  Ms.  Farmer,  when  the  committee  worked  on  pri- 
vacy legislation  last  year,  we  heard  from  the  occupational  nurses 
who  were  concerned  about  sharing  medical  information  with  em- 
ployers. Can  you  comment  on  the  typical  barriers  that  exist  be- 
tween employers  requesting  information  and  occupational  thera- 
pists feeling  compelled  to  protect  that  information? 

Ms.  Farmer.  Yes,  sir,  I  can.  Speaking  specifically  now  from  Hew- 
lett Packard's  practices,  we  have  a  privacy  policy  that  has  been  in 
place  for  over  25  years.  It  does  apply  to  medical  records,  and  ac- 
cordingly, the  way  that  health  data  is  protected  on  an  individual 
basis  within  Hewlett  Packard  is  that  only  those  who  have  a  busi- 
ness need  to  know  are  permitted  access  to  that  information. 

In  regard  to  our  particular  organization,  work-related  or  site-spe- 
cific medical  information  is  retained  at  the  occupational  health 
nurse  level  at  particular  sites.  Those  records  are  based  on  paper — 
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they  are  not  electronic— and  they  are  secured  strictly  by  the  occu- 
pational health  nurses.  They  are  not  required  to  share  any  of  that 
information  with  any  of  the  employers  for  any  other  need  to  know 
other  than  a  program  manager,  who  would  have  a  very  rare  and 
infrequent  need  to  know. 

So  from  our  perspective,  the  medical  privacy  and  the  information 
of  those  records  by  the  occupational  health  nurses  is  kept  com- 
pletely separate  through  an  internal  fire  wall  from  employers,  pro- 
tecting employers  from  having  access  to  the  particular  individual 
information. 

The  Chairman.  Senator  Kennedy. 

Senator  Kennedy.  Thank  you  very  much,  and  I  thank  our  panel. 
Obviously,  we  have  heard  some  different  views  on  this  issue. 

I  suppose  we  should  understand  that  the  HHS  regulations  are 
just  that— regulations — so  it  does  not  take  away  from  the  impor- 
tance of  having  legislation  that  will  either  follow  some  of  the  paths 
that  have  been  outlined  by  HHS  or  others.  I  think  that  that  is  im- 
portant for  us  to  recognize. 

Dr.  Koski,  coming  back  again  to  Massachusetts,  we  have  a  pretty 
good  law  up  there,  and  there  is  an  additional  proposal  for  addi- 
tional protections.  I  am  just  wondering,  first  of  all,  about  your  reac- 
tion to  the  HHS  regulations.  Have  you  had  a  chance  to  look  at 
them;  have  you  reviewed  them;  do  you  have  a  reaction  to  them? 

Dr.  Koski.  I  have,  but  I  would  like  to  focus  specifically  on  the 
research  provisions,  where  I  would  be  most  familiar  with  them. 

Senator  Kennedy.  Fine. 

Dr.  Koski.  In  general,  I  believe  they  do  provide  a  high  level  of 
protection  for  use  of  private  information  and  research  that  further 
strengthens  those  that  are  already  included  in  the  appropriate  Fed- 
eral legislation  dealing  with  those  uses. 

It  will  require  that  there  be  some  further  clarification  to  the  in- 
stitutional review  boards  in  order  to  be  sure  that  these  are  applied 
in  a  uniform  fashion  nationally,  but  in  general,  I  believe  that  those 
are  the  kinds  of  protections  that  are  necessary  in  order  to  maintain 
the  confidence  of  the  public  that  will  allow  us  to  continue  to  use 
this  information  as  we  have  been. 

Senator  Kennedy.  As  a  researcher,  how  important  is  that  sense 
of  the  confidence  of  the  public  in  getting  good  information  that  is 
the  basis  of  good  research?  How  important  is  that? 

Dr.  Koski.  It  is  absolutely  essential.  I  cannot  put  it  in  any  other 
terms.  Society  benefits  from  research,  but  in  order  to  get  results 
from  the  research,  it  is  individuals  who  take  the  risks,  and  we  as 
a  society  have  a  responsibility  to  protect  those  individuals  who  are 
taking  the  risks,  from  which  we  will  all  benefit,  so  it  is  essential. 

Senator  Kennedy.  Would  you  be  happier  if  we  had  the  preemp- 
tion if  the  regulations  were  actually  law  and  preempted  the  kinds 
of  protections  that  are  there  in  Massachusetts,  or  do  you  find  the 
protections  that  are  there — ^to  be  necessary?  For  example,  in  men- 
tal health,  Massachusetts  has  broad  protections  against  disclosure 
of  mental  health  records,  even  HHS  has  narrower  protections 
against  disclosure  of  mental  health  therapy  notes.  So  it  is  a  nar- 
rower kind  of  a  protection. 
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What  is  your  own  sense  about  the  preemption  issue?  Are  you 
troubled  by  the  disparity  between  what  is  happening  in  the  Federal 
law  versus  the  State  laws? 

Dr.  KOSKI.  Well,  yes,  I  am  to  a  certain  extent.  I  guess  I  would 
have  to  say  if  the  floor  established  under  the  Federal  regulations 
or  legislation  that  results  is  set  sufficiently  high,  those  concerns 
would  be  relieved  somewhat.  But  yes,  I  do  have  some  concerns. 

Senator  Kennedy.  In  the  HHS  regulations,  there  is  no  right  of 
private  legal  action,  and  on  the  specific  protection  of  other  types  of 
medical  information — for  example,  information  on  HIV  status,  ge- 
netic information  and  others — there  is  no  protection,  and  there  is 
no  medical  records  ombudsman,  which  they  have  again  at  the  State 
level. 

Do  you  have  any  reaction  to  the  issues  of  private  right  of  action 
or  special  protections  for  other  types  of  medical  information  or  the 
medical  records  ombudsman? 

Dr.  KoSKi.  Yes.  I  believe  that  when  there  have  been  abuses  of 
private  information,  there  should  be  some  recourse,  so  that  I  per- 
sonally favor  a  private  right  of  action. 

With  respect  to  certain  areas  of  highly  sensitive  information  such 
as  HIV  status,  reproductive  health,  mental  health,  in  the  research 
domain,  the  existing  Federal  regulations  already  provide  a  higher 
level  of  protection  in  those  areas,  as  does  the  State  legislation  in 
Massachusetts. 

Senator  Kennedy.  On  another  area,  do  you  feel  qualified  to  talk 
about  the  regulations  as  they  apply  to  law  enforcement?  Do  you 
have  any  reaction  to  that  balance  between  getting  information  from 
law  enforcement  officials  and  what  the  standard  should  be? 

Dr.  KosKl.  I  would  prefer  to  defer  to  others  who  would  be  more 
knowledgeable  in  that  area. 

Senator  Kennedy.  Fine. 

From  your  own  knowledge,  has  this  been  unduly  burdensome  in 
terms  of  the  costs?  Have  you  found  that  people  have  complained 
about  the  kinds  of  protections  that  have  been  required  in  terms  of 
the  business  sector  in  our  State?  Has  it  been  an  undue  burden? 

Dr.  KOSKI.  No,  it  has  not.  Again,  in  the  research  domain,  this  is 
an  area  where  if  you  are  going  to  do  it,  you  simply  have  to  do  it 
right,  and  this  is  one  of  the  necessary  costs  of  doing  that  business, 
and  I  do  not  believe  that  it  has  been  unnecessarily  burdensome. 

Senator  Kennedy.  Thank  you. 

Thank  you,  Mr.  Chairman. 

The  Chairman.  Thank  you. 

Senator  Murray. 

Senator  Murray.  Thank  you  very  much,  Mr.  Chairman,  for  hav- 
ing this  hearing.  Like  all  the  members  of  this  committee,  I  am 
sorry  that  we  were  not  able  to  enact  legislation  by  the  August  21st 
deadline,  and  I  hope  we  can  continue  to  work  toward  that  goal  be- 
cause I  think  we  do  need  a  comprehensive  Federal  standard,  and 
we  need  to  provide  what  our  constituents  are  looking  for. 

I  have  a  couple  area  of  concern,  and  I  will  just  throw  them  out 
for  any  of  the  panelists  who  want  to  comment.  One  is  on  the  pri- 
vacy and  confidentiality  guarantees  for  minors,  which  I  think  is  of 
particular  concern.  In  Washington  State,  we  do  have  protections  for 
minors;  their  confidentiality  is  guaranteed  when  they  seek  family 
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planning  services,  STD  screening,  and  mental  health  services,  and 
I  think  it  is  very  important  that  whatever  we  do  protects  that  abil- 
ity for  States  like  mine  to  do  that.  Clearly,  this  goes  beyond  an  un- 
wanted pregnancy.  It  has  to  do  with  STD;  it  has  to  do  with  AIDS, 
which  can  be  fatal;  it  has  to  do  with  mental  health — and  we  know 
that  suicide  is  the  second  leading  cause  of  death  for  minors.  So  I 
think  it  is  important  that  we  do  that,  and  I  am  concerned  whether 
or  not  the  proposed  regulations  from  HHS  provide  that  kind  of 
State  confidentiality  and  privacy  requirements  that  are  enacted. 

Would  anybody  like  to  comment  on  that? 

[No  response.] 

Senator  Murray.  You  are  not  going  to  touch  it.  Well,  I  do  hope 
this  committee  continues  to  keep  that  in  mind.  I  think  it  is  a  very 
important  area. 

The  other  area  I  have  a  great  deal  of  concern  about  is  the  issue 
of  victims  of  domestic  violence.  Women  and  men  who  are  victims 
of  domestic  violence  do  not  seek  health  care  if  they  do  not  feel  their 
confidentiality  is  very  closely  guarded.  They  worry  that  an  insur- 
ance company  will  notify  the  payer  of  the  bills,  who  may  well  be 
the  abuser.  If  any  of  you  would  like  to  comment  on  how  we  can  pro- 
tect that  privacy  and  what  kinds  of  regulations  should  be  in  place 
for  that,  I  would  appreciate  it. 

Mr.  Houston.  Let  me  comment  on  both  issues,  because  I  think 
they  go  to  the  same  issue.  As  a  provider,  the  provider  wants  to  do 
the  right  thing,  which  is  to  make  sure  that  appropriate  treatment 
is  provided,  and  whatever  is  required  to  ensure  that  that  happens 
is  I  think  what  needs  to  be  done.  If  there  need  to  be  ways  to  rea- 
sonably put  in  place  provisions  to  protect  both  minors  and  abused 
spouses  and  the  like,  then  we  need  to  do  that.  It  is  always  a  bal- 
ance of  that  against  the  burden,  and  I  think  that  is  really  where 
I  know  we  have  had  the  most  problems,  that  we  absolutely  have 
the  position  that  we  want  to  keep  this  information  confidential  and 
private;  how  do  we  do  that  without  not  only  impacting  our  ability 
to  deliver  health  care,  but  also,  in  a  lot  of  cases,  in  the  face  of 
shrinking  reimbursement,  to  continue  to  be  able  to  dispatch  our 
mission. 

So  having  read  through  the  rules  at  length,  there  really  is  not 
anything  in  there  that  would  go  counter  to  your  concerns.  I  think 
it  is  spoken  to  generally,  if  you  ask  me,  and  I  think  that  clearly, 
those  are  the  types  of  things  that  we  would  want  as  a  health  sys- 
tem to  try  to  ensure  happen.  I  mean,  we  would  want  to  make  sure 
that  those  protections  are  in  place  and  that  that  occurs. 

Senator  Murray.  Does  anybody  else  want  to  comment? 

[No  response.] 

Senator  Murray.  Thank  you,  Mr.  Chairman.  I  will  continue  to 
follow  those  concerns. 
The  Chairman.  Thank  you.  Senator  Murray. 
Senator  Dodd. 

Senator  Dodd.  Thank  you,  Mr.  Chairman,  and  thanks  for  hold- 
ing this  hearing.  I  apologize  for  arriving  a  little  late  and  missing 
the  first  witness,  but  this  is  one  of  those  mornings  where  every 
committee  seems  to  be  holding  a  hearing  at  the  same  time,  so  I 
apologize  to  our  witnesses  for  not  being  here  to  hear  all  of  your  tes- 
timony. 
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Mr.  Chairman,  as  you  know,  we  tried  very  hard  to  get  a  privacy 
bill  passed  in  the  medical  records  area,  with  your  help.  Senator 
Kennedys  and  others  here.  We  were  unable  to  get  it  done,  at  least 
as  of  this  date.  I  am  still  hopeful,  although  with  each  passing  day, 
my  hope  diminishes  substantially  that  in  this  Congress,  we  are 
going  to  deal  with  this  issue. 

It  is  a  complicated  issue — we  know  that — and  there  are  unin- 
tended consequences  that  can  occur  as  a  result  of  any  legislation 
being  adopted,  so  you  have  got  to  think  it  through  carefully.  But 
it  is  our  responsibility  here  to  do  that  in  an  area  that  is  as  signifi- 
cant as  this.  When  we  surveyed  issues  of  importance  to  people  in 
Connecticut,  this  issue  dwarfed  every  other  issue.  From  taxes  and 
budget  and  crime,  the  issue  of  privacy  generally — we  did  not  get 
into  the  issue  of  medical  and  financial  records  and  distinguish — ^but 
just  on  the  notion  of  privacy,  this  issue  dwarfed  every  other  con- 
cern in  my  constituency  a  year  or  so  ago.  So  there  is  a  real  concern 
out  there.  And  with  the  explosion  of  the  Internet  from  13  web  sites 
as  of  January  20,  1993  to  15  million,  with  45,000  pages  being 
added  every  minute  worldwide,  people  have  an  unease  about  the 
ability  of  others  to  peer  into  their  medicine  cabinets,  to  peer  into 
their  bank  accounts,  to  peer  into  their  bedrooms,  to  glare  into  the 
most  intimate  and  private  aspects  of  their  lives. 

And  we  will  do  something  on  this  issue,  I  promise  you.  We  will 
do  something  on  privacy.  The  question  is  whether  or  not  we  will 
do  the  right  thing  about  this  issue,  and  that  is  what  we  really  have 
to  be  careful  about.  I  applaud  the  administration  for  moving  on  the 
regulations.  That  was  certainly  helpful. 

But  I  want  to  point  out,  Mr.  Chairman,  that  while  I  think  the 
administration  has  done  a  good  job  here,  there  are  certain  things 
they  were  not  able  to  address.  And  even  with  some  of  the  State 
laws  out  there,  without  having  a  Federal  law  that  has  breadth  and 
depth  to  it,  we  have  a  patchwork  that  is  very  uneven.  The  reality 
is  that  right  now,  patients  have  few  enforceable  rights  in  this  area 
when  it  comes  to  the  privacy  of  their  personal  health  information. 
In  some  States,  they  do  not  have  the  right  to  see  their  own  medical 
records.  In  most  States,  you  do  not  have  the  right  to  prevent  infor- 
mation that  you  give  in  confidence  to  your  doctor  from  being  used 
in  direct  marketing.  In  almost  all  States,  you  do  not  have  the  right 
to  keep  your  insurer  from  sharing  your  records  with  an  employer. 
By  and  large,  with  the  exception  of  a  few  States,  all  you  have 
standing  between  you  and  the  misuse  of  your  information  are  good 
intentions,  professional  ethics  and  internal  company  policies.  I  am 
not  saying  that  that  is  insignificant,  but  that  is  little  source  of  con- 
fidence to  most  people. 

And  of  course,  as  we  now  know,  with  these  regulations,  even 
though  they  are  valuable,  they  are  limited  in  scope.  The  Secretary 
cannot  regulate  paper  records  that  were  never  in  electronic  form. 
She  cannot  directly  regulate  the  use  of  medical  information  by  mar- 
keting firms,  employers  and  researchers,  and  the  Secretary  cannot 
offer  individuals  whose  rights  have  been  violated  the  opportunity 
to  seek  legal  redress. 

Only  Congress,  as  Senator  Kennedy  has  pointed  out  accurately 
and  wisely  here,  can  really  protect  in  these  areas.  So  I  think  we 
have  got  to  step  up  to  the  plate  and  do  it  quickly,  and  I  am  hopeful 
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that  will  be  the  case,  Mr.  Chairman.  I  am  deeply  disappointed  that 
we  have  apparently  let  this  Congress  go  by  without  doing  anything. 

I  have  a  couple  of  quick  questions  for  the  panel.  One,  I  would 
like  to  come  back  to  the  minimum  amount  necessary  issue  if  I 
could  very  quickly.  It  is  difficult  to  put  parameters  around  what  is 
meant  by  "minimum  amount  necessary"  in  the  context  of  transfer 
of  information.  But  I  also  want  to  raise  the  question  of  how  this 
concept  should  be  operationalized  here.  If  providers  must  contin- 
ually question  whether  they  are  passing  out  too  much  of  health 
care  information — should  we  also  be  concerned  that  we  will  see  an 
increase  in  medical  errors,  and  should  we  be  worried  about  seeing 
more  adverse  drug  reactions  if  doctors  are  not  provided  with  the 
full  medical  history  of  their  patients?  The  concept  of  "minimal 
amount  necessary,"  is  an  important  one  and  yet  it  seems  to  me 
that  the  issues  may  be  different  for  internal  versus  external  shar- 
ing of  information. 

When  I  to  have  a  stress  test  or  a  heart  test,  I  want  that  doctor 
to  also  know  what  vitamins  or  prescriptions  I  am  on,  so  that  in 
making  that  determination  of  what  health  care  I  need,  they  have 
all  the  necessary  information. 

I  wonder  if  you  might  just  quickly  comment  on  that.  Let  us  begin 
with  you,  Dr.  Koski. 

Dr.  KosKl.  Yes.  We  discussed  this  at  length  in  Massachusetts 
when  we  were  working  on  the  bill  there,  and  clearly,  restriction  of 
the  free  access  to  the  medical  information  for  the  purposes  of  deliv- 
ering care  is  a  mistake,  because  it  can  result  in  exactly  the  kinds 
of  errors  that  you  are  referring  to. 

The  greater  concern  is  about  why  information  of  a  very  specific 
nature  about  a  particular  medical  encounter  should  be  released  as 
part  of  a  general  request  for  information  when  it  has  no  relevance 
to  the  particular  activity  being  undertaken.  Why  any  information 
should  ever  be  released  for  marketing  purposes  is  beyond  my  com- 
prehension. 

So  the  key  point  here  is  that  we  need  to  understand  that  infor- 
mation is  provided  for  specific,  intended  uses,  and  it  should  be  re- 
stricted to  those  uses  and  to  the  individuals  who  need  to  work  to 
do  those  jobs.  And  whenever  there  is  a  new  job  that  has  to  be  done, 
we  should  carefully  define  what  information  is  needed  to  do  that. 
And  that  is  going  to  take  some  time — granted — ^but  it  is  exactly  the 
approach  that  we  need  to  take. 

Mr.  Houston.  Just  a  brief  comment.  In  your  opening  remarks, 
you  talked  about  the  rise  of  the  Internet.  I  think  the  issue  here  is 
that  there  is  also  the  issue  of  security  versus  privacy.  Security  is 
keeping  people  out  who  have  no  right  to  that  information,  and  pri- 
vacy is  the  inappropriate  use  of  information  by  people  who  may 
otherwise  have  a  right  to  access  at  least  parts  of  the  information 
that  is  available. 

So  I  think  the  security  regulations  or  rules  that  were  proposed 
go  a  long  way  toward  addressing  the  concern  of  people  via  the 
Internet  anonymously  going  after  information.  So  I  think  they  do 
serve  us  well  in  that  regard,  and  I  suppose  those  fully. 

I  think  the  issue  of  minimum  necessary,  then,  is  a  question  of, 
for  internal  purposes,  what  should  be  made  available,  and  for  other 
purposes  when  requested,  how  much  should  be  made  available,  and 
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1  think  Senator  Jeffords'  earlier  question  regarding  should  they  be 
required  to  ask  us  for  a  specific  subset  of  information  and  possibly 
give  a  justification  for  why  they  need  that  information  would  be 
very  helpful. 

Senator  Dodd.  Mr.  Chairman,  I  see  the  red  light  is  on. 
The  Chairman.  Senator  Reed. 

Senator  Reed.  I  think  you  wanted  to  respond,  Dr.  Koski. 

Dr.  KOSKI.  Yes.  I  just  wanted  to  be  sure  that  we  do  not  leave  the 
impression  that  information  technology  is  just  a  villain  in  this  de- 
bate, because  after  all,  there  are  information  technology  tools  that 
can  be  very  effectively  used  to  facilitate  a  lot  of  what  we  are  trying 
to  do.  A  good  example  of  that  is  the  ability  to  put  all  of  the  medical 
information  on  all  of  our  patients  in  a  health  care  system  with  over 

2  million  subscribers  and  have  that  information  accessible  to  re- 
searchers with  all  identifiers  removed  so  that  that  information  can 
be  used  freely,  without  compromising  privacy.  So  we  need  to  look 
at  where  the  information  technology  can  be  beneficial  as  well  as 
where  it  poses  certain  

Senator  Dodd.  Yes.  If  I  could  just  comment  on  that,  I  did  not 
want  to  suggest  that.  Medical  information  may  be  a  lot  safer  today 
on  the  Internet  than  it  would  be  in  the  old  file  cabinet  with  paper. 
So  do  not  misunderstand  me  on  that.  But  because  this  is  so  new 
to  so  many  people,  it  is  unsettling.  This  a  technology  that  most  peo- 
ple are  not  familiar  with.  And  we  have  seen  abuses  in  terms  of  ac- 
cess— ^for  example,  with  Internet  drugstores. 

So  I  have  some  specific  questions,  but  my  time  has  run  out,  so 
I  will  come  back. 

Thank  you,  Mr.  Chairman. 

The  Chairman.  Senator  Reed. 

Senator  Reed.  I  think  this  is  a  worthwhile  colloquy.  Mr.  Hous- 
ton, do  you  have  a  comment  with  respect  to  this? 

Mr.  Houston.  I  just  want  to  make  it  very  clear,  though,  that 
when  we  talk  about  the  power  of  information  technology,  I  also 
must  warn  that  today,  very  few  health  systems  or  hospitals  in  the 
United  States  have  a  truly  electronic  medical  record.  The  costs  are 
significant;  it  is  going  to  take  a  long  time  to  get  where  we  need  to 

go- 
Senator  Dodd.  And  these  regulations  do  not  cover  paper  records 
that  have  never  been  electronic. 

Mr.  Houston.  And  it  sets  a  different  standard,  and  also,  I  think 
if  the  source  of  compliance  ultimately  is  through  us,  having  purely 
electronic  systems  to  handle  this  information  and  secure  this  infor- 
mation is  the  best  way  to  proceed,  but  we  are  not  there,  and  we 
are  not  going  to  be  there  for  along  time,  and  it  does  cause  a  lot  of 
significant  problems. 
Senator  Reed.  Thank  you,  Mr.  Chairman. 

One  topic  that  has  been  discussed  this  morning  has  been  pre- 
emption of  State  laws,  and  it  seems  to  me  that  preemption  pre- 
sents us  with  a  dilemma.  In  order  to  confidently  preempt  State 
laws,  we  have  to  understand  and  know  that  we  have  a  strong,  com- 
prehensive Federal  law.  This  morning,  I  have  heard  two  streams 
of  thought — one,  preempt  State  laws,  but  we  do  not  want  this  oner- 
ous Federal  law  to  impose  restrictions  upon  us. 
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Frankly,  I  think  that  if  we  are  going  to  resolve  this,  because  of 
the  nature  of  this  technology  and  the  fact  that  frankly,  it  is  now 
not  only  accessible  across  the  country  but  around  the  world,  we 
need  a  strong  national  standard.  In  the  long  run,  I  hope  it  is  not 
just  those  of  us  here  in  the  Senate,  but  those  members  of  the  af- 
fected communities  who  stand  up  and  say  we  need  national  rules, 
but  we  understand  they  have  got  to  be  tough  and  comprehensive 
and  constraining  in  a  proper  way. 

I  wonder  if  you  might  comment  on  that  from  your  different  per- 
spectives. 

Ms.  Farmer. 

Ms.  Farmer.  Thank  you,  yes.  I  would  like  to  comment. 

As  a  technology-based  firm  and  operating  in  a  global  environ- 
ment, we  are  keenly  cognizant  of  the  issues  you  just  mentioned, 
and  since  we  are  moving  to  a  higher  level  of  systems  integration 
and  efficiencies  around  the  world,  our  issues  are  no  longer  even 
U.S.-based;  they  are  globally  based — what  are  the  appropriate  sys- 
tems, securities,  encryptions,  uses  of  passwords,  fire  walls,  etc,  as 
we  move  not  only  medical  information  but  information  in  general 
around  the  world. 

We  would  agree  that  we  need  to  have  privacy.  Fundamentally, 
one  of  the  core  values  of  Hewlett  Packard  has  been  respect  for  the 
individual  employees  and  their  right  to  privacy.  While  not  all  em- 
ployers may  have  the  policy  that  we  have  in  place,  and  we  do  en- 
dorse and  support  Federal  legislation,  fundamentally,  we  believe  it 
is  the  employer  community,  the  medical  community,  the  research 
community,  as  we  gather  together,  to  say  that  this  is  what  we  all 
need  to  do.  We  need  to  have  those  standards. 

We  would  just  implore  that  as  we  have  this  debate,  we  try  to  cre- 
ate a  workable,  tough  standard  that  takes  into  consideration  the 
need  for  American  business  to  still  be  able  to  have  some  modicum 
of  being  able  to  manage  the  health  care  dollars  that  they  are  trying 
to  basically  drive  productivity  in  the  work  force. 

Senator  Reed.  Well,  I  obviously  agree  with  your  sentiments.  One 
observation  that  I  would  make  is  that  I  think  you  are  all  going  to 
be  driven  not  by  the  most  enlightened  members  of  your  community, 
but  by  the  most  unscrupulous  members  of  your  community,  and 
once  that  hits  the  public  this  issue  is  going  to  ignite.  We  are  now 
talking  about  not  just  a  tactical  issue  here;  this  is  a  cultural  issue 
in  America — ^the  "Jeremiah  Johnson"  ethic  is  very  strong,  going  off 
by  yourself,  either  into  the  woods  or  into  your  own  home — this  is 
a  cultural  issue  with  tremendous  resonance  with  the  American 
public.  What  I  would  hope  we  could  do  is  very  quickly  collect  input 
from  all  the  different  private  sectors  to  help  us  move  forward,  jump 
start  this  process  and  get  a  national  standard  that  will  work  for 
all  of  us. 

Are  there  any  other  comments?  Mr.  Houston? 

Mr.  Houston.  I  think  we  are  looking  for  guidance,  frankly  

Senator  Reed.  So  are  we;  we  are  wandering. 

Mr.  Houston.  I  believe  in  doing  business  in  the  most  ethical 
manner,  and  today  we  often  have  to  use  our  best  judgment  as  to 
what  is  appropriate,  and  we  typically  are  very  conservative  in  al- 
lowing the  use  of  data.  But  frankly,  I  think  that  one  common  body 
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of  law  is  going  to  help  rather  than  hurt,  and  I  think  it  is  important 
to  have. 
Senator  Reed.  Doctor. 

Dr.  KOSKI.  Where  I  think  one  comes  down  on  the  issue  of  pre- 
emption depends  on  where  you  happen  to  be  standing  at  the  time. 
Everyone  is  vested  in  what  they  believe  to  be  their  own  best  State 
law  for  whatever  reasons,  and  if  you  feel  that  the  Federal  legisla- 
tion would  undermine  those  and  provide  a  lesser  standard,  then 
you  would  probably  oppose  preemption,  whereas  if  you  think  it  is 
going  to  make  things  so  restrictive  that  you  wouldn't  be  able  to  do 
what  the  people  in  your  State  thought  you  ought  to  be  doing,  then 
you  will  come  down  there,  so  finding  that  balance — ^but  I  think  the 
key  point  here  is  that  we  truly  need  to  look  at  what  the  people  are 
saying,  and  that  is  we  are  concerned  about  our  privacy,  as  Senator 
Dodd  pointed  out,  and  we  need  to  listen  to  that  first  and  then  find 
where  we  can  work  to  satisfy  their  concerns  and  yet  meet  the 
needs  that  Mr.  Houston  and  Ms.  Farmer  have  mentioned. 

Senator  Reed.  Thank  you. 

I  guess  my  final  point  would  be  that  I  think  it  would  help,  in 
terms  of  that  search  for  guidance,  if  we  start  with  the  presumption 
that  whatever  we  do  at  the  Federal  level  is  going  to  be  very  tough, 
very  comprehensive,  and  very  responsive  to  this  deep  cultural 
sense  of  privacy,  rather  than  thinking,  well,  let  us  start  negotiating 
down  as  far  as  we  can  to  get  to  something  that  gives  us  maximum 
flexibility. 

Thank  you,  Mr.  Chairman. 

The  Chairman.  Senator  Wellstone. 

Senator  Wellstone.  Thank  you,  Mr.  Chairman.  I  apologize  for 
being  late.  I  had  some  questions  for  Ms.  Goldman  that  I  may  not 
be  able  to  ask  because  I  have  to  leave  because  of  what  is  going  on 
in  agriculture  in  Minnesota.  But  let  me  put  some  questions  to  the 
panel. 

First,  let  me  thank  you,  Mr.  Chairman,  for  the  hearing.  I  really 
approach  the  issue  of  privacy  of  medical  information  as  a 
layperson. 

Building  on  what  Senator  Reed  just  said,  I  think  it  is  not  just 
a  cultural  issue  that  we  want  our  privacy,  but  it  is  also  the  very 
legitimate  fear  that  people  have  about  how  their  personal  health 
information  is  going  to  be  used.  If  there  is  a  genetic  predisposition 
toward  substance  abuse,  mental  illness  or  neurological  disease  in 
your  family,  you  have  every  reason  in  the  world  to  worry  about 
who  gets  hold  of  that  information.  You  worry  about  what  efffect  it 
will  have  on  insurance  premiums,  and  what  effect  it  will  have  on 
whether  you  get  a  job  somewhere. 

So  I  think  there  are  multiple  reasons  for  concern.  But  the  biggest 
concern  I  have  about  the  proposed  regulations  is  that  they  com- 
pletely eliminate  the  fundamental  concept  of  informed  consent. 
That  is  gone,  as  I  see  it.  If  personal  health  information  can  be  dis- 
closed without  informed  consent,  a  sacred  contract  between  doctor 
and  patient,  the  trust  between  doctor  and  patient  is  violated.  Con- 
sent is  critical  to  insuring  privacy  and  it  is  the  underpinning  of 
high  quality  care.  So  I  want  to  ask  whether  each  of  you  would  at 
least  support  the  concept  of  a  separate  category  of  "sensitive  infor- 
mation" that  would  require  prior  informed  consent  for  disclosure? 
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This  question  could  be  for  any  of  you,  and  you  all  may  not  be  in 
agreement,  but  I  am  most  concerned  about  this  question. 
Yes,  Dr.  Koski. 

Dr.  KOSKI.  Informed  consent  is  obviously  something  that  is  criti- 
cally important  in  the  research  domain,  so  I  may  address  it  from 
that  perspective. 

There  are  already,  as  I  mentioned  earlier,  special  protections  for 
highly-sensitive  types  of  information.  The  regulations  that  have 
been  proposed  would  allow  for  a  waiver  of  informed  consent  for 
uses  of  identifiable  information  for  research  purposes  only  when 
those  studies  were  deemed  to  constitute  minimal  risk  to  the  indi- 
viduals for  which  these  highly-sensitive  areas  of  information  would 
not  apply.  And  the  standards  for  protection  would  be  increased  in 
a  manner  that  is  commensurate  with  the  sensitivity  of  the  data,  so 
that  there  would  certainly  be  instances  where  full  informed  consent 
would  be  required. 

So  I  think  that  the  characterization  of  this  doing  away  with  in- 
formed consent  is  probably  not  entirely  accurate,  but  

Senator  Wellstone.  You  do  not  need  to  be  kind.  You  think  the 
premise  of  the  question  is  wrong,  at  least  with  respect  to  research? 

Dr.  Koski.  Yes. 

Senator  Wellstone.  OK.  That  is  important  to  me.  Fd  like  to  get 
other  input  from  others. 
Yes,  Ms.  Farmer. 

Ms.  Farmer.  I  would  like  to  make  a  comment  on  that.  In  terms 
of  the  employer  perspective  on  an  individually-based  informed  con- 
sent, while  I  concur  with  the  concept  of  information,  the  individual 
authorization  or  release,  if  you  will,  would  be  problematic  in  the 
employer  environment. 

We  have  many,  many  years  of  wise  experience  that  tell  us  that 
when  we  go  out  and  reach  out  to  our  employee  populations  and  say 
you  must  sign  thi?  document  and  return  it  to  us,  if  we  get  a  20 
or  30  percent  response  rate  after  two  or  three  follow-up  mailings, 
we  are  doing  great.  So  what  we  have  here  is  maybe  a  law  of  unin- 
tended consequences.  If  we  were  required  in  the  employer  domain 
to  have  this  informed  written  authorization  to  release,  then  we 
would  have,  unfortunately,  employees  in  our  work  force  who,  be- 
cause they  failed  to  sign  an  authorization,  would  be  precluded  from 
participating  in  the  health  programs  and  plans,  etc,  which  is  not 
our  goal.  Our  goal  is  to  have  our  very  valued  employees  come  on 
board  with  us  and  have  the  catastrophic  coverage  and  the  medical 
needs  for  themselves  and  their  families  and  not  have  that  get  lost 
in  a  boondoggle  of  administration. 

Mr.  Houston.  I  think  the  other  thing  that  is  important  from  a 
research  perspective  is  that  we  are  on  the  verge  of  really  being  able 
to  store  enormous  amounts  of  information  on  line  and  to  use  that 
ard  to  mine  it  for  the  purposes  of  research.  We  do  a  lot  of  that 
today  at  the  UPMC  Health  System,  we  have  certain  systems  in 
place  that  do  that,  and  the  value  is  enormous. 

I  think  the  point  that  you  are  making,  and  it  is  very  valid,  is 
that  if  there  is  a  stigma  attached  to  it,  or  people  are  concerned  that 
there  will  be  a  stigma  attached  to  their  condition,  they  are  going 
to  be  less  forthright,  or  they  are  going  to  be  concerned  about  seek- 
ing medical  treatment. 
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And  clearly,  privacy  rules  and  regulations  need  to  be  in  place  to 
ensure  that  those  stigmas  are  not  attached,  but  we  have  to  be  very 
mindful  of  the  true  value;  the  real  benefit  here  is  to  have  that  in- 
formation available,  use  it  for  its  intended  purposes,  use  it  for  re- 
search, so  that  in  the  future,  the  stigma  of  AIDS  goes  away  simply 
because  we  are  able  to  cure  AIDS  or  address  AIDS. 

Senator  Wellstone.  The  light  is  yellow,  but  let  me  do  a  quick 
follow-up.  I  understand.  Dr.  Koski,  that  with  research,  your  answer 
is  on  target,  but  with  regard  to  other  uses  of  this  information,  this 
is  a  serious  question  that  I  have  raised.  So  again,  I'd  like  your 
opinions  about  a  category  of  sensitive  information  to  include  mini- 
mally mental  health,  genetic,  and  HIV  status  information  with  spe- 
cial privacy  protections. 

Mr.  Houston.  The  Commonwealth  of  Pennsylvania  today  carves 
out  exceptions  for  AIDS  and  other  types  of  information,  and  it  actu- 
ally holds  them  to  a  higher  standard.  I  think  we  need  to  take  ac- 
count of  that,  but  again,  in  the  end,  I  want  to  make  sure  that  we 
are  able  to  use  the  information  for  its  intended  purposes.  From  my 
perspective,  I  think  that  is  what  is  most  important,  and  whatever 
those  purposes  are,  whether  they  be  research  or  otherwise  helping 
those  people  to  lead  productive  lives  and  to  help  ensure  that  their 
condition  is  alleviated  or  lessened,  I  think  is  very  important,  and 
I  think  we  have  to  try  to  aim  toward  those  goals. 

Ms.  Farmer.  From  the  employer  perspective,  if  I  am  understand- 
ing you  correctly,  I  think  that  the  individual's  rights  and  needs  are 
protected  through  the  legislation  that  is  afforded  through  the 
Americans  with  Disabilities  Act  in  that  it  provides  protection  for 
the  individual  from  the  employer's  misuse  of  sensitive  or  personal 
medical  information  in  the  field  of  employment. 

So  the  inappropriate  use  of  perhaps  HIV  information  or  breast 
cancer  or  whatever  the  medical  condition  may  be,  employers  are  al- 
ready restricted,  and  individuals  already  have  rights  in  regard  to 
those  protections. 

Dr.  KOSKI.  Clearly,  if  individuals  are  concerned  that  telling  a 
doctor  about  your  medical  problems  is  going  to  result  in  the  loss 
of  your  medical  insurance,  you  do  not  have  much  incentive  to  be 
open  about  it,  so  I  would  agree.  Real  teeth  in  a  law  that  would  ap- 
propriately punish  misuse  of  information  and  would  prohibit  dis- 
crimination on  the  basis  of  information  that  is  provided  are  abso- 
lutely essential.  I  think  the  concerns  that  you  raise,  Senator 
Wellstone,  are  very  real. 

Senator  WELLSTONE.  Thank  you. 

Thank  you,  Mr.  Chairman. 

The  Chairman.  Go  ahead.  Senator  Dodd. 

Senator  DODD.  Just  following  upon  the  last  point  raised  by  Sen- 
ator Wellstone,  the  issue  of  employers  access  to  medical  informa- 
tion, is  a  difficult  area.  Obviously,  employees  may  not  want  sen- 
sitive health  information  to  be  shared  with  their  employer.From 
the  employer  perspective,  they  want  to  know  an  employee's  ability 
to  perform  the  functions  for  which  they  are  being  hired. 

But  an  area  where  I  think  it  is  very  clear-cut  is  discrimination 
against  individuals  with  a  predisposition  for  certain  illnesses  or 
certain  problems,  and  this  is  an  area  where  I  do  not  think  there 
should  be  any  debate.  We  now  know,  for  instance — at  Yale,  they 
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have  done  some  remarkable  work  on  breast  cancer  and  the  pre- 
disposition at  birth  with  infants — ^they  have  done  studies  on  twin 
girls — ^getting  down  to  the  degree  of  something  in  the  neighborhood 
90  to  95  percent  degree  of  probability  of,  untreated,  the  likelihood 
of  twin  girl  babies,  as  I  understood  the  study,  contracting  breast 
cancer.  And  an  employer  or  an  insurance  company  having  access 
to  that  kind  of  information  is  an  area  that  I  really  get  concerned 
about.  In  that  one,  the  lines  ought  to  be  bright  and  clear,  it  seems 
to  me.  Any  sharing  of  that  sort  of  information  on  predisposition  I 
would  like  to  see  prohibited. 

I  do  not  know  how  you  feel  about  that.  I  would  be  interested  in 
your  quick  response. 

Ms.  Farmer.  From  the  employer  perspective,  my  response  is 
short  and  sweet,  so  maybe  I  should  go  first.  That  is  

Senator  Wellstone.  Don't  disappoint  us,  now. 

Ms.  Farmer  [continuing].  OK.  Clearly,  the  predisposition  is  none 
of  the  employer's  business;  we  have  no  interest  in  it,  and  we  have 
no  interest  in  having  any  access  to  that  information. 

Senator  Dodd.  A  good  answer. 

Senator  Wellstone.  Yes,  a  good  answer. 

Mr.  Houston.  I  would  agree,  but  you  also  want  to  make  sure 
that  if  you  have  the  capability  to  arrive  at  those  conclusions,  this 
predisposition,  and  use  it  for  other  purposes  which  are  not  going 
to  disadvantage  the  person,  I  think  you  have  to.  Where  the  re- 
search will  allow  you  to  improve  their  quality  of  life  or  help  them 
take  actions  to  avoid  future  illness,  not  only  does  that  help  the  per- 
son, but  it  also  helps  reduce  the  cost  of  health  care  and  other  

Senator  Dodd.  With  the  consent  of  the  individual  we  are  talking 
about,  obviously. 

Mr.  Houston.  Absolutely,  absolutely.  But  I  think  it  is  really  im- 
portant that  we  look  at  the  other  bona  fide  reasons  for  why  this 
information  is  of  value  and  try  to  make  sure  the  law  allows  us  the 
freedom  to  do  what  is  right  and  to  understand  what  we  should  not 
be  doing. 

Senator  Dodd.  Dr.  Koski,  you  wanted  to  respond. 

Dr.  KOSKI.  Yes — I  am  chomping  at  the  bit  here.  One  of  the  real 
problems,  though.  Senator  Dodd,  is  that  it  may  not  be  possible  to 
prevent  that  information  from  being  released,  because — ^take  the 
example  of  breast  cancer — ^we  know  from  studies  that  have  been 
done  today  that  Ashkanazi  Jewish  women  have  a  higher  propensity 
to  develop  breast  cancer  because  of  a  gene  that  is  expressed  with 
higher  frequency  in  that  population.  As  we  learn  more  and  more 
about  human  genetic  information,  the  groups  that  we  will  be  able 
to  identify  as  being  at  risk  for  more  and  more  conditions  are  going 
to  become  more  and  more  prevalent,  so  that  eventually,  when  we 
understand — in  fact,  another  example  is  a  study  that  has  been 
around  for  years  and  years  and  years  that  shows  an  association  be- 
tween men  who  have  hair  on  their  earlobes  and  the  incidence  of 
coronary  artery  disease  

Senator  Dodd.  Immediately,  everyone  in  the  room  is  checking  his 
earlobes.  [Laughter.] 

Dr.  KOSKI.  This  is  the  problem.  So  the  focus,  I  believe,  should  be 
less  on  just  restricting  the  distribution  of  that  information  than  on 
making  sure  that  the  information  
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Senator  Dodd.  I  understand  that,  but  I  am  talking  about  the 
specific  genetic  predisposition  of  Ms.  Farmer.  I  would  think  we 
could  make  it  a  violation  of  the  law  for  someone  to  discriminate 
against  hiring  an  Ashkanazi  Jewish,  because  of  the  potential  that 
she  may  contract  breast  cancer.  That  is  what  we  are  looking  at 
from  this  side  of  the  dias  here.  It  seems  to  me,  we  ought  to  be  able 
to  get  almost  unanimity  of  thought  on  that  particular  point. 

I  have  one  other  question,  but  my  colleague  may  have  some  ques- 
tions. 

The  Chairman.  We  have  another  panel. 

Senator  Wellstone.  The  chairman  is  putting  unbelievable  pres- 
sure on  me. 

Senator  Dodd.  Just  one  more.  These  are  very  important  wit- 
nesses we  have  here,  Mr.  Chairman. 
The  Chairman.  Make  it  short. 

Senator  Dodd.  I  raised  the  issue  with  you  earlier.  I  asked  the 
FDA  Commissioner,  Dr.  Henney,  when  she  was  here  whether  she 
thought  Internet  pharmacies  would  come  under  the  scope  of  the 
regulations  that  we  have  seen  drafted.  She  indicated  that  she 
wanted  to  look  at  it  further  and  did  not  have  a  quick  answer  for 
us,  and  I  respect  that.  But  while  I  have  you  medical  privacy  ex- 
perts in  front  of  me,  I  would  like  to  pose  the  question  to  the  three 
of  you  and  get  obviously  quick  answers  if  you  can,  and  maybe  you 
can  follow  up  in  writing  if  you  wish.  But  do  you  believe  that  Inter- 
net companies  that  provide  drugs  over  the  Internet  would  be  re- 
quired to  comply  with  the  regulations,  one;  and  two,  how  about  web 
sites  that  just  provide  health  consultations,  advice,  or  manage  con- 
sumers' medical  records — that  is  out  there  as  well  today — ^but  do 
not  prescribe  drugs — could  this  regulation  be  an  additional  tool  for 
shutting  down  unscrupulous  on  line  pharmacies,  which  we  have  al- 
ready had  a  good  hearing  on. 

So  those  are  the  three  quick  questions. 

Mr.  Houston.  I  personally  do  not  know — I  do  not  know  what 
category  

Senator  DoDD.  Do  you  want  to  call  a  friend?  [Laughter.] 
Mr.  Houston.  I  want  to  use  one  of  my  lifelines.  Personally,  off 
the  top  of  my  head,  my  thought  would  be  that  I  think  the  AHA 
could  help  you  out  in  that  regard.  I  do  not  think  that  necessarily 
an  on  line  pharmacy  would — I  do  not  know  which  category  they 
would  fall  under,  whether  provider,  payer,  or  otherwise.  I  do  not 
know  how — again,  it  depends  on  whether  they  are  going  to  use  the 
data  in  anonymyzed  or  otherwise,  but  I  do  not  know. 

Ms.  Farmer.  From  the  employer  perspective,  I  would  also  have 
questions  whether  they  are  friend,  foe,  beast,  or  animal.  What  I 
would  say  is  that  currently,  most  of  the  Internet  drugstores  have 
positioned  themselves  as  retail  stores  as  opposed  to  benefits  which 
employers  provide  to  their  employees,  and  they  are  taking  the  posi- 
tion that  they  are  just  a  different  sales  channel.  While  they  have 
approached  the  employer  community  on  various  occasions  and  tried 
to  enter  into  the  benefit  arena,  right  now,  we  do  not  regard  them 
as  benefits. 

However,  we  do  have  pharmacy  managers  that  fall  under  this 
regulation,  and  they  do  have  legitimate  needs  for  data  which  is 
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geared  around  the  whole  issue  of  reducing  medical  errors,  for 
which  employers  have  great  interest. 

Dr.  KOSKI.  The  drugs  that  people  are  on  is  basically  a  blueprint 
of  their  medical  problems;  if  they  did  not  have  the  problems,  they 
would  not  be  on  the  drugs.  If  you  give  me  a  list  of  drugs  that  some- 
one is  taking,  I  can  tell  you  an  awful  lot  about  their  medical  his- 
tory. 

Certainly  pharmacists,  wherever  they  are — Internet  pharmacies, 
your  local  CVS,  whatever— will  be  recipients  of  private  health  in- 
formation when  a  person  goes  in  to  have  a  prescription  filled,  and 
the  information  that  they  receive  should  be  used  solely  for  the  pur- 
pose of  filling  that  prescription  and  providing  advice  and  counsel 
on  the  safe  use  of  that  drug  to  the  individual.  It  should  be  used 
for  no  other  purpose.  And  we  have  already  seen  instances  where 
pharmacies  have  sold  that  information  for  other  purposes,  much  to 
the  concern  of  not  only  the  individuals  but  the  law  enforcement 
agencies  where  those  things  have  occurred.  So  I  think  I  could  give 
a  very  strong  and  clear  answer  to  that,  that  yes,  I  would  think  that 
any  entity  that  receives  personal  identifiable  health  information 
should  be  required  to  respect  that  information  and  handle  it  ac- 
cording to  the  provisions  of  strict  privacy  protections. 

The  Chairman.  Thank  you  very  much. 

Senator  DODD.  That  is  the  right  answer,  I  was  going  to  say. 

The  Chairman.  You  have  your  right  answer  now. 

Senator  DoDD.  But  also,  on  the  unscrupulous  Internet  drug  com- 
panies, do  you  think  this  might  be  a  vehicle  by  which  we  might  be 
able  to  weed  out  some  of  the  fraudulent  operations  out  there — 
"fraudulent"  is  not  the  right  word — ^unscrupulous  operations. 

Dr.  KOSKI.  That  sounds  like  a  good  job  for  the  OIG. 

Senator  Dodd.  Thank  you,  Mr.  Chairman. 

Thank  you  all. 

The  Chairman.  I  thank  all  the  panelists  for  your  very,  very  help- 
ful information. 

I  would  now  like  to  call  forward  our  final  panel  which  includes 
Dr.  Joanna  Horobin,  Mr.  Charles  Kahn,  and  Ms.  Janlori  Goldman. 

Dr.  Joanna  Horobin  is  executive  vice  president  of  commercial  de- 
velopment for  EntreMed,  Incorporated.  Prior  to  joining  EntreMed, 
Incorporated,  in  February,  1999,  Dr.  Horobin  was  vice  president, 
corporate  oncology,  at  Rhone  Poulenc  Rorer,  and  in  that  role 
launched  RPR  as  a  global  player  in  oncology.  Between  1987  and 
1992,  she  held  a  number  of  clinical  development  and  management 
positions  with  Rhone  Poulenc  Rorer.  Prior  to  joining  RPR,  she 
spent  5  years  in  clinical  development  roles  with  Beecham  Pharma- 
ceuticals. A  British  citizen.  Dr.  Horobin  graduated  from  the  Uni- 
versity of  Manchester  Medical  School  in  1978.  She  is  a  member  of 
the  U.K.  Royal  College  of  General  Practitioners  and  holds  the  U.K. 
Diploma  of  Pharmaceutical  Medicine.  She  has  recently  moved  to 
Bethesda,  MD  with  her  husband  and  two  children.  We  welcome 
you.  Dr.  Horobin. 

Mr.  Charles  N.  Kahn  III  is  president  of  the  Health  Insurance  As- 
sociation of  America,  Washington,  DC.  It  is  good  to  see  you  again. 
HIAA  numbers  among  its  members  nearly  300  companies  which 
provide  health,  long-term  care,  dental,  disability,  and  supplemental 
insurance.  Mr.  Kahn  has  had  numerous  academic  and  advisory  ap- 
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pointments.  In  addition  to  teaching  health  poHcy  at  The  Johns 
Hopkins,  George  Washington,  and  Tulane  Universities,  he  has 
written  on  health  care  financing.  Mr.  Kahn,  good  morning,  and 
welcome  to  you. 

Finally,  I  would  like  to  introduce  Janlori  Goldman,  who  is  direc- 
tor of  the  Health  Policy  Project  at  Georgetown  University.  Ms. 
Goldman  has  researched  and  written  extensively  on  privacy  policy 
for  several  years.  She  is  currently  also  deputy  director  of  the  Cen- 
ter for  Democracy  and  Technology  and  has  held  several  past  posi- 
tions with  the  ACLU.  Ms.  Goldman  holds  a  J.D.  from  the  Hofstra 
University  School  of  Law.  Thank  you  for  being  here. 

Dr.  Horobin,  please  proceed. 

STATEMENTS  OF  DR,  JOANNA  C.  HOROBIN,  SENIOR  VICE 
PRESIDENT  FOR  COMMERCIAL  DEVELOPMENT,  ENTREMED, 
INCORPORATED,  ROCKVILLE,  MD,  ON  BEHALF  OF  THE 
BIOTECH  INDUSTRY  ORGANIZATION;  CHARLES  N.  KAHN,  IH, 
PRESIDENT,  HEALTH  INSURANCE  ASSOCIATION  OF  AMER- 
ICA, WASHINGTON,  DC;  AND  JANLORI  GOLDMAN,  DIRECTOR, 
HEALTH  POLICY  PROJECT,  INSTITUTE  FOR  HEALTHCARE 
RESEARCH  AND  POLICY,  GEORGETOWN  UNIVERSITY,  WASH- 
INGTON, DC 

Dr.  Horobin.  Thank  you,  Mr.  Chairman,  and  thank  you  also  for 
the  opportunity  to  testify  at  this  important  hearing  on  medical 
records  privacy. 

I  am  testifying  this  morning  on  behalf  of  the  Biotechnology  In- 
dustry Organization,  or  BIO.  As  you  heard,  my  name  is  Dr.  Joanna 
Horobin,  and  I  am  EVP  for  EntreMed,  a  biotechnology  company 
based  in  Maryland. 

As  you  heard,  a  physician  by  training  and  practice,  I  have  been 
involved  in  the  pharmaceutical  drug  development  business  for  over 
18  years,  and  for  the  last  8  years  specifically  in  oncology  drug  de- 
velopment. As  I  am  sure  all  of  you  know,  the  drugs  that  are  avail- 
able to  fight  cancer  today  have  at  best  been  poor  in  assisting  pa- 
tients with  cancer,  and  the  price  those  patients  have  to  pay  in 
terms  of  drug  toxicity  has  been  significant. 

At  EntreMed,  we  are  trying  to  develop  a  totally  new  approach  to 
treating  cancer  by  harnessing  the  body's  own  control  systems.  We 
have  identified  natural  molecules  that  inhibit  the  abnormal  and 
unwanted  growth  of  new  blood  vessels  that  allow  tumors  to  grow 
and  spread  but  without  the  side  effects  that  we  have  learned  to  ex- 
pect with  traditional  cancer  treatments.  And  just  6  months  ago,  we 
put  the  first  of  our  three  lead  molecules  into  clinical  trials.  We  now 
have  endostatin,  angiostatin,  and  2-ME-2  in  early  clinical  testing 
and  a  very  aggressive  clinical  development  plan  for  those  three 
molecules. 

It  is  for  exactly  those  reasons  why  I  am  so  pleased  to  have  the 
opportunity  to  testify  on  behalf  of  BIO  today.  The  objective  of  the 
biotechnology  industry  is  to  bring  breakthrough  products  to  pa- 
tients as  rapidly  as  possible,  and  I  feel  certain  that  that  is  an  objec- 
tive that  the  patients  themselves  also  share. 

But  I  am  very  concerned,  as  is  BIO,  that  there  are  some  aspects 
of  the  administration's  proposal  on  medical  records  privacy  that 
may  actually  have  the  exact  opposite  effect  and  may  actually  slow 
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down  the  potential  pace  of  medical  research  and  new  drug  develop- 
ment. 

With  that  introduction,  I  would  like  to  make  three  points.  First, 
I  would  like  to  assure  you  that  BIO  fully  supports  the  enactment 
of  laws  to  protect  patient  confidentiality.  Indeed,  patients  are  piv- 
otsd  to  the  success  of  the  biotechnology  industry.  We  want  to  make 
breakthrough  medicines  available  to  patients  quickly,  but  to  do  so 
requires  their  involvement  in  clinical  research  protocols  designed  to 
test  our  drugs  in  a  very  rigorous  manner.  We  respect  the  patients 
who  participate  in  that  process,  and  we  respect  and  want  to  main- 
tain their  confidentiality. 

The  second  point  I  want  to  make,  though,  is  that  BIO  supports 
the  enactment  of  a  national  law  that  protects  the  confidentiality  of 
medical  information.  And  indeed,  Mr.  Chairman,  it  is  very  impor- 
tant to  us  that  it  is  a  national  law.  Maybe  I  can  explain  our  specific 
view  on  that. 

Today,  my  company s  products,  for  example,  are  being  tested  in 
what  we  call  "single-center  protocols."  What  that  means  is  that 
each  study  is  discrete  and  conducted  entirely  in  one  treatment  cen- 
ter. But  as  I  am  sure  you  all  know,  the  FDA  rightly  expects  to  see 
results  in  several  hundred  patients  at  least  before  approving  the 
drug  for  market. 

The  quickest  way  for  us  to  gather  this  important  data  is  in 
multicenter  protocols — essentially,  exactly  the  same  study  is  con- 
ducted by  many  different  researchers  in  many  different  centers  in 
different  States.  But  a  study  just  last  year  showed  that  differences 
do  exist  State-to-State  between  the  different  health  privacy  laws, 
and  during  this  last  legislative  session  alone,  26  States  have  de- 
bated laws  concerning  privacy.  Today,  my  company  has  protocols  in 
just  five  States.  By  the  end  of  this  year,  we  would  expect  that  to 
probably  double  and  to  probably  double  again  next  year.  And  we 
believe  that  it  is  very  important  that  laws  concerning  patient  con- 
fidentiality are  conducted  on  a  national  basis,  which  will  allow  the 
speed  with  which  those  protocols  take  place  at  the  same  pace  as 
we  can  do  today  with  single-center  protocols. 

My  third  point  concerns  the  proposed  medical  confidentiality  reg- 
ulations, and  until  we  are  able  to  secure  enactment  of  Federal  leg- 
islation, we  need  to  ensure  that  the  pending  medical  confidentiality 
regulations  strike  the  same  balance  as  laid  out  in  the  chairman's 
mark  of  last  year.  But  unfortunately,  in  some  ways,  they  do  not, 
and  I  would  just  like  to  share  two  specific  examples. 

We  are  concerned  that  in  the  effort  to  de-identify  medical  infor- 
mation, we  may  not  be  able  to  collect  that  data  that  is  actually 
needed  for  the  proper  conduct  of  clinical  research  and,  moreover, 
the  proper  reporting  of  some  of  that  data  to  the  FDA. 

Study  protocols  such  as  those  that  we  and  other  organizations 
conduct  require  patients  to  fulfill  very  tight  eligibility  criteria. 
These  include,  for  example,  the  age  of  the  subjects.  This  is  particu- 
larly important — ^for  example,  we  may  want  to  exclude  some  pa- 
tients who  would  be  at  greater  risk  with  that  protocol,  like  the  el- 
derly or  the  young.  They  often  and  almost  always,  in  fact,  specify 
very  specific  types  of  disease  or  subsets  of  a  disease.  And  the  re- 
porting of  adverse  events  associated  with  clinical  protocols  also  re- 
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quires  that  we  give  information,  for  example,  on  the  patient's  date 
of  birth. 

If  you  give  me  the  opportunity  to  get  up  and  show  you  some- 
thing, I  would  like  to  show  you  the  types  of  information  that  we 
collect  in  these  clinical  research  protocols. 

I  hope  you  can  hear  me  without  the  microphone.  What  I  have 
here  are  a  couple  of  representative  pages  from  a  docimient  that  is 
usually  used  in  the  industry  called  a  "CRF"  or  a  "Clinical  Data 
Form." 

The  Chairman.  I  have  it  in  front  of  me  here. 

Dr.  HOROBIN.  OK.  What  I  want  to  show  people  is  the  type  of  in- 
formation that  is  routinely  collected.  Now,  the  actual  document  for 
any  given  study  would  be  many,  many  pages;  I  have  just  two  rep- 
resentatives pages  here,  the  first  couple  of  pages. 

We  do  indeed  collect  information  on  the  patient's  date  of  birth, 
and  as  I  said,  that  is  important  for  eligibility.  But  also,  and  very 
importantly,  one  of  the  tMngs  we  ask  first  of  all  is  has  this  patient 
given  informed  consent  to  participate  in  this  clinical  study  and  to 
have  information  about  their  progress  in  this  clinical  study  re- 
corded, and  that  has  to  be  recorded  right  up  front  in  this  document. 

We  ask  other  things  which  are  relevant  to  the  particular  study — 
if  the  patient  smokes,  for  example,  do  they  have  a  history  of  certain 
diseases.  And  as  you  can  see,  there  is  a  lot  of  information  here 
which  is  of  a  general  nature  about  the  patient's  general  back- 
ground. 

I  don't  think,  though,  as  a  physician,  that  I  would  find  it  very 
easy  to  identify  an  individual  patient  from  the  sort  of  information 
that  is  collected  here.  Even  if  we  add  the  individual  site  that  is  in- 
volved, or  even  if  we  add  the  patient's  initials,  it  is  really  very  dif- 
ficult for  us  to  identify  who  this  patient  is  at  the  time  that  these 
records  are  collated  for  clinical  database  purposes. 

I  hope  that  helps  people  understand  what  sort  of  information  we 
are  trying  to  collect. 

The  second  point  I  would  like  to  make  is  that  the  proposed  regu- 
lation also  extends  the  common  rule  to  potentially  noninter- 
ventional  medical  research — for  example,  the  review  of  medical 
records — and  this  may  not  seem  at  first  to  be  anything  of  great 
concern,  but  it  is  of  concern  to  us. 

For  example,  at  my  company,  EntreMed,  we  are  developing  new 
ways  of  treating  cancer.  That  means  we  need  to  ask  new  questions 
in  new  ways,  particularly  as  we  are  developing  different  t3^es  of 
cancer  treatments,  and  therefore,  the  old  ways  of  developing  cancer 
drugs  may  not  apply  to  these. 

For  example,  with  one  of  our  new  compounds,  investigators 
wanted  to  test  one  of  our  drugs  immediately  in  breast  cancer.  This 
required  that  they  do  a  search  of  medical  records  to  see  whether 
or  not  that  protocol  would  be  feasible.  The  proposed  ruling  on  medi- 
cal information  privacy  would  have  taken  potentially  a  few  months 
for  that  to  happen  if  additional  IRB  approval  had  been  required. 
We  did  not  need  to  do  that  in  the  current  situation,  so  we  did  not 
need  to  extend  the  potential  period  of  drug  development  for  that 
drug  by  another  3  months  or  so.  Three  months  may  not  seem  like 
a  lot  to  you,  but  if  you  look  at  it  in  the  way  that  we  look  at  it,  3 
months  can  actually  be  a  very  long  time.  Many  of  the  patients  in 
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the  protocols  whom  we  are  treating  have  less  than  a  year  to  live. 
Every  day  in  the  U.S.  alone,  1,500  patients  die  from  cancer.  In  3 
months,  that  would  be  about  150,000  patients.  So  3  months  can  in- 
deed be  a  significant  period  in  the  overall  time  of  a  drug's  develop- 
ment. 

To  conclude,  BIO  and  my  company  believe  that  patient  privacy 
is  indeed  a  very  important  issue,  and  patients  have  a  right  to  ap- 
propriate confidentiality.  But  as  you  put  in  place  necessary  and  in- 
deed very  appropriate  legislation  which  we  in  the  biotech  industry 
support  whole-heartedly,  we  want  you  to  ensure  that  it  is  done  in 
a  balanced  way  that  is  sensitive  to  the  need  to  bring  breakthrough 
drugs  to  patients  safely,  ethically,  and  above  all,  quickly. 

Thank  you  very  much  for  the  opportunity  to  testify. 

The  Chairman.  Thank  you  for  your  testimony. 

[The  prepared  statement  of  Dr.  Horobin  follows:] 

Prepared  Statement  of  Joanna  Horobin,  M.D. 

EXECUTIVE  SUMMARY 

The  Biotechnology  Industry  Organization  (BIO)  is  encouraged  that  the  Committee 
is  holding  this  hearing  to  discuss  protecting  the  confidentiality  of  patient  medical 
records.  BIO  supports  enactment  of  comprehensive  Federal  legislation  to  protect  the 
confidentiality  of  personal  medical  information.  Although  it  is  critical  to  protect  pa- 
tients' confidentiahty  rights,  federal  proposals  must  be  carefiilly  written  to  assure 
the  continuation  of  vital  medical  research  on  diseases  and  conditions  faced  by  these 
same  patients.  The  Clinton  Administration's  proposed  confidentiality  rule  fails  this 
test.  In  contrast  to  the  Chairman's  mark  from  last  year,  the  Administration's  pro- 
posal does  not  recognize  that  medical  researchers  must  use — and  share — ^identity- 
encoded  medical  information  where  there  is  no  potential  for  compromises  in  patient 
confidentiality.  To  encumber  this  use  and  sharing  of  this  encoded  information  would 
be  damaging  to  biomedical  research.  In  addition,  federal  legislation  is  needed  to  cre- 
ate national,  uniform  confidentiality  protections,  rather  than  leaving  researchers 
subject  to  a  patchwork  of  different  and  sometimes  inconsistent  state  laws.  While  it 
is  important  to  protect  patients,  imposing  unnecessary  and  inappropriate  restric- 
tions on  access  to  important  medical  data  will  slow  research  efforts  to  treat  and  cure 
these  patients.  Federal  legislation  and  regulation  must  facilitate  the  legitimate  re- 
search uses  and  sharing  of  medical  information  to  help  ensiu*e  that  the  bio- 
technology industry  will  continue  to  bring  breakthrough  products  to  the  bedside  for 
patients  with  deadly  and  disabling  diseases.  This  is  the  balance  we  find  in  the 
Chairman's  mark. 


STATEMENT 

Good  morning.  My  name  is  Joanna  Horobin.  I  am  Executive  Vice  President  for 
Commercial  Development  for  EntreMed,  Inc.,  a  biotechnology  company  in  Rockville, 
Maryland.  I  am  testifying  on  behalf  of  the  Biotechnology  Industry  Organization 
(BIO).  BIO  represents  916  companies,  academic  institutions  and  state  biotechnology 
centers  engaged  in  biotechnology  research  on  medicines,  diagnostics,  agriculture, 
pollution  control  and  industrial  applications. 

EntreMed  is  developing  antiangiogenic  drugs  designed  to  inhibit  the  abnormal 
new  blood  vessel  growth  associated  with  a  broad  range  of  diseases  such  as  cancer 
and  heart  disease.  Our  company  has  several  products  currently  in  clinical  trials 
being  conducted  at  major  cancer  centers  in  foiu*  states.  As  the  program  on  these 
products  expands,  multi-center  protocols  will  be  initiated  at  several  centers  in  dif- 
ferent states  and  potentially  overseas. 

My  objective  throughout  my  career — whether  as  a  prescribing  physician,  clinical 
researcher,  or  as  a  business  executive  responsible  for  the  launch  of  new  drugs — has 
always  been  to  provide  the  best  therapeutic  options  for  patients. 

Let  me  make  three  points. 

BIO  Support  for  Confidentiality  Protections 

First,  BIO  has  consistently  supported  national  legislation  to  protect  the  confiden- 
tiality of  medical  information.  BIO  strongly  supports  enactment  of  a  law  that  pro- 
tects patients'  confidentiality,  just  as  we  supported  barring  discrimination  on  the 
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part  of  group  health  plans  based  on  "genetic  information".  We  view  it  as  a  moral 
duty — and  good  public  policy — to  assure  the  public  that  the  great  promise  of  bio- 
technology research  will  not  be  tarnished  by  abuses  of  this  technology. 

We  are  proud  of  the  fact  that  BIO  worked  effectively  in  1996  to  secure  enactment 
of  an  amendment  to  the  Health  Insurance  Portability  and  Accessibility  Act  that  pro- 
vides important  protections  against  discrimination  by  health  insurance  companies 
based  on  "genetic  information"  about  the  individual.  The  protections  against  dis- 
crimination based  on  "genetic  information"  were  not  included  in  original  House  or 
Senate  version  of  the  legislation.  The  bills  provided  protections  against  discrimina- 
tion based  on  "pre-existing  conditions,"  but  this  was  defined  as  a  condition  for  which 
there  had  been  a  diagnosis  and  treatment.  Adding  "genetic  discrimination"  means 
that  individuals  who  take  a  predictive  genetic  test  to  determine  if  they  will  or  are 
likely  to  manifest  symptoms  of  a  genetic-based  disease  are  also  protected.  In  fact, 
they  have  greater  protections  than  individuals  with  pre-existing  conditions  (not 
being  subjected  to  a  waiting  period  for  health  benefits  coverage). 

We  now  need  to  supplement  this  first  ban  on  discrimination  based  on  genetic  in- 
formation with  confidentiaUty  protections  for  this  and  other  medical  information. 

BIO  Support  for  Confidentiality  Legislation 

Second,  BIO  supports  enactment  of  a  national  law  to  protect  the  confidentiality 
of  medical  information.  As  you  know,  despite  the  best  efforts  of  the  Chairman,  the 
Ranking  Member  and  many  others,  legislation  has  not  yet  been  enacted  on  this  sub- 
ject. We  urge  the  Committee  to  continue  to  work  towards  enactment  of  legislation. 
As  we  will  explain,  it  is  the  best  way  to  seoire  the  protections  patients  need  in  a 
way  that  is  compatible  with  medical  research. 

We  specifically  support  the  legislative  proposal  that  you,  Chairman  Jeffords,  pre- 
sented in  your  Chairman's  mark.  Specifically,  it  contained  a  bi-partisan  proposal 
crafted  by  Senators  Frist  and  Kennedy — and  was  agreed  to  by  the  Administration — 
for  oversight  of  research  not  subject  to  the  Common  Rule  that  would  provide  privacy 
protection  to  individuals  without  hurting  research.  These  provisions  created  an  ef- 
fective mechanism  for  reviewing  privacy  issues  raised  by  proposed  uses  of  health  in- 
formation for  research  purposes.  The  mark  also  created  a  definition  of  "nonidentifi- 
able  health  information"  that  included  coded  data,  thereby  facilitating  use  of  sci- 
entifically valuable  information  by  medical  researchers  without  jeopardizing  patient 
privacy. 

Mr.  Chairman,  we  also  need  federal  legislation  to  create  a  set  of  national,  uniform 
confidentiaUty  protections.  Clinical  trials  are  multi-state  ventures.  National  stand- 
ards would  allow  researchers  to  create  informed  consent  and  other  procedures  that 
will  be  legal  in  all  states.  The  fact  that  this  is  not  true  today  is  becoming  an  increas- 
ingly vexing  problem  for  biotechnology  companies.  A  1999  study  of  state  health  pri- 
vacy laws  showed  the  vast  differences  among  the  states.  In  addition  to  existing  dif- 
ferences, state  laws  in  this  area  are  in  flux.  During  this  past  state  legislative  ses- 
sion, 26  states  debated  laws  concerning  privacy.  This  environment  will  slow  impor- 
tant research  efforts. 

It  is  important  to  note  that  with  respect  to  the  research  impUcations,  the  dif- 
ferences among  states  do  not  seem  to  start  fi*om  differences  in  the  level  or  degree 
of  protection,  but  reflect  different  state  legislature's'  views  of  the  specific  procedures 
or  requirements  for  accomplishing  the  same  objective.  Nonetheless,  the  require- 
ments and  penalties  are  different  enough  to  require  every  researcher  to  hire  lawyers 
to  assure  compUance  with  the  laws  of  more  than  50  states  and  local  jurisdictions 
in  designing  informed  consent  dociiments  for  a  multi-state  trial. 

Strong  national  standards  will  also  give  the  public  peace  of  mind  because  they 
will  know  that  their  medical  information  is  subject  to  appropriate  protections.  This, 
in  turn,  will  make  them  more  willing  to  share  information  with  medical  researchers. 

The  Executive  Branch  does  not  have  the  authority  to  create  such  a  system.  That's 
why  Congress  must  act.  Thus,  BIO  urges  Congress  to  pass  necessary  legislation.  It 
should  contain  language  that  will  pre-empt  all  state  laws  that  would  inhibit  access 
to  information  important  to  research. 

BIO  Position  on  Pending  Confidentiality  Regulations 

Finally,  until  we  are  able  to  secure  enactment  of  Federal  legislation,  we  need  to 
ensiire  that  the  medical  confidentiaUty  regulations  proposed  by  the  Secretary  of 
DHHS  strike  this  same  balance.  The  current  proposal  does  not  do  so. 

As  with  the  Chairman's  mark,  federal  privacy  regulations  must  be  carefuUy  writ- 
ten to  aUow  the  continuation  of  vital  medical  research.  This  research  is  essential 
if  we  are  to  reaUze  the  promise  of  developing  new  treatments  and  cures  for  many 
diseases.  Legislation  or  regulations  that  unreasonably  restrict  researchers'  access  to 
and  use  of  medical  information  wiU  slow,  and  could  halt,  research  efforts,  thereby 
creating  a  barrier  to  the  development  of  new  drugs  and  biologies. 
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Regulatory  proposals  must  protect  patients'  privacy  rights  while  creating  an  envi- 
ronment that  encourages  vitally  important  medical  research  to  continue.  These 
goals  are  not  mutually  exclusive.  During  the  public  debate  over  this  issue,  no  one — 
from  patient  groups  to  privacy  advocates,  providers,  payers,  and  government  offi- 
cials— ^has  said  that  research  should  be  made  more  difficult  or  costly  by  the  legal 
framework  established  to  protect  medical  privacy. 

Unfortunately,  the  proposed  rule  has  precisely  that  unintended  adverse  effect  on 
research.  It  will  severely  hurt  medical  research.  Although  the  proposed  rule  does  not 
directly  regulate  BIO's  member  companies,  virtually  all  data  used  in  the  clinical 
phases  of  biotechnology  research  and  in  monitoring  the  safety  and  efficacy  of  prod- 
ucts after  marketing  comes  from  patients  who  are  receiving  care  from  a  "covered 
entity^  (e.g.,  hospital,  health  plan)  subject  to  the  proposed  rule.  As  a  result  of  its 
significant  new  requirements  on  covered  entities  and  its  restrictions  on  their  use  of 
data,  the  proposal  will  have  a  substantial  adverse  impact  on  biotechnology  compa- 
nies' abihty  to  carry  out  research. 

BIO  has  submitted  formal  comments  to  the  proposed  rule  that  describe  in  detail 
our  analysis  and  recommendations.  I  would  like  to  focus  on  a  few  critical  issues 
today. 

The  proposed  rule  creates  barriers  to  information  for  companies  engaged  in  re- 
search and  clinical  trials. 

BIO  believes  a  covered  entity  should  be  permitted  to  disclose  protected  health  in- 
formation after  making  reasonable  efforts  to  ensure  that  disclosiire  is  limited  to  the 
minimum  information  necessary.  A  covered  entity  should  be  permitted  to  rely  upon 
the  determinations  of  its  own  IRB  or  the  central  IRB  in  a  multi-center  clinical  trial 
for  purposes  of  determining  whether  disclosures  have  been  appropriately  limited. 
However,  the  proposed  rule  would  impose  civil  and  criminal  sanctions  on  an  entity 
unless  it  can  prove  it  made  "all  reasonable  efforts"  to  limit  disclosures.  This  will  be 
a  disincentive  for  covered  entities  to  share  information  and  will  deter  them  from  re- 
sponding to  the  recent  call  of  the  Institute  of  Medicine  to  reduce  the  frequency  of 
medical  errors  by  affording  all  providers  in  the  chain  of  care  timely  access  to  an 
integrated  clinical  information  system. 

Moreover,  the  proposed  regulation  requires  each  covered  entity  to  make  its  own 
independent  "minimum  necessary"  determination  for  every  research  use  or  disclo- 
sure. This  means  that  the  covered  entity  must  reach  an  independent  judgment  that 
the  purpose  of  each  use  or  disclosure  could  not  be  reasonably  accompushed  with  in- 
formation that  is  not  identifiable.  This  is  simply  unworkable  within  the  context  of 
a  large,  multi-center  cUnical  trial. 

IRBs  that  review  biotechnology  research  protocols  must  make  complex  judgments 
about  the  value  of  the  research,  the  scope  of  disclosure  in  the  consent  form,  and  the 
sufficiency  of  protections  for  patient  privacy.  Existing  federal  regulations  permit  in- 
stitutions cooperating  in  multi-center  clinical  trials  to  delegate  basic  decisions  about 
the  structure  of  the  research  protocol,  the  contents  of  the  consent  form,  and  the 
scope  of  any  patient  waivers  or  authorizations  to  a  central  IRB.  Delegation  of  review 
authority  allows  participating  sites  in  a  multi-center  trial  to  rely  upon  an  IRB 
whose  members  have  special  expertise  and  understanding  of  the  proposed  research. 
Unnecessary  duplication  of  effort  and  expense  is  avoided,  data  collection  is  stand- 
ardized, and  the  trial  coordinator  does  not  face  the  administrative  burden  of  manag- 
ing data  and  patient  records  from  multiple  sites  whose  IRBs  might  otherwise  place 
differing  requirements  and  limitations  upon  the  protocol. 

These  arrangements  likely  would  not  be  feasible  under  the  "minimum  necessary"  i 
rule,  as  drafted.  Covered  entities  arguably  could  no  longer  delegate  the  substantive 
review  of  protocols  and  consent  forms  to  the  central  IRB  in  a  multi-center  trial,  be- 
cause such  review  necessarily  involves  determinations  about  the  amount  of  informa- 
tion necessary  for  the  research  purpose. 

BIO  recommends  that  these  provisions  in  the  proposed  rule  be  appropriately 
modified. 

The  proposed  rule  creates  an  unworkable  scheme  for  creating  "de-identified"  infor- 
mation. 

Researchers  often  use  data  sets  of  de-identified  information  (information  that  is 
made  anonymous  or  coded  so  an  individual's  identity  is  not  revealed  and  cannot 
readilv  be  determined  by  the  researcher).  Such  research  projects  include  epidemio- 
logical studies,  outcomes  analyses,  and  studies  of  incidence  of  disease  or  access  to 
care  across  populations,  areas  or  time.  For  biotechnology  companies,  these  studies 
are  essential  to  identify  unmet  medical  needs  and  develop  hypotheses  about  the  en- 
vironmental, social,  behavioral,  and  genetic  roots  of  diseases  and  conditions. 

Whether  information  meets  the  proposal's  definition  of  "de-identified"  is  critical 
because  if  it  does  not,  it  is  deemed  to  be  "protected  health  informative"  and  its  use 
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or  disclosure  without  compliance  with  the  proposed  rule's  provisions  will  subject  the 
user  and  discloser  to  civil  and  criminal  penalties. 

The  proposed  rule  says  that  encrypted  and  coded  data  is  de-identified.  However, 
to  avoid  risk  of  civil  and  criminal  penalties,  entities  with  health  information  are 
likely  to  only  share  that  information  with  medical  researchers  if  they  meet  the  rule's 
two-part  test  that  determines  if  the  health  information  can  be  presumed  to  be  de- 
identified. 

The  first  part  of  the  test  Hsts  18  specific  identifiers.  If  any  are  present,  the  infor- 
mation cannot  be  presumed  to  be  de-identified.  However,  removing  all  of  the  ele- 
ments on  the  list  of  asserted  identifiers  would  result  in  medical  history  data  of  ques- 
tionable completeness,  raising  serious  doubts  about  the  validity  of  conclusions 
drawn  from  any  research  using  a  de-identified  database.  For  example,  one  listed 
identifier  is  birth  date.  There  would  be  serious  questions  about  the  vahdity  of  most 
studies  that  failed  to  specify  the  age  of  the  subjects. 

In  addition,  the  last  item  in  the  list  of  identifiers  would  require  removal  of  "  [a]ny 
other  unique  identifying  .  .  .  characteristic  .  .  .  that  the  [discloser  of  information] 
has  reason  to  beheve  may  be  available  to  an  anticipated  recipient  of  the  informa- 
tion." For  biotechnology  companies,  the  disease  or  condition  under  investigation 
often  afflicts  a  limited  population  of  individuals.  Therefore,  the  disease  under  inves- 
tigation arguably  could  be  considered  a  "unique  identifying  characteristic"  available 
to  the  researcher,  who  (as  a  clinical  expert  in  the  disease)  may  otherwise  be  able 
to  identify  the  patients  afflicted  with  the  disease.  Thus,  information  fi-om  patients 
with  rare  diseases  or  conditions  might  never  be  presiuned  to  be  de-identified. 

The  second  prong  of  the  proposed  rule's  de-identification  test  requires  that  the  en- 
tity providing  the  information  to  the  researcher  have  "no  reason  to  believe  that  any 
anticipated  recipient  of  such  information  could  use  the  information,  alone  or  in  com- 
bination with  other  information,  to  identify  an  individual."  This  creates  an  ex- 
tremely high  standard,  and  the  proposed  regulation  provides  no  guidance  regarding 
how  to  meet  the  "reason  to  believe"  standard,  even  though  failure  to  meet  the  stand- 
ard could  lead  to  civil  and  criminal  penalties. 

Thus,  BIO  believes  that  the  proposed  rule's  provisions  governing  de-identified 
data  are  too  restrictive.  When  combined  with  civQ  and  criminal  penalty  provisions, 
I  the  proposed  rule  creates  a  strong  disincentive  to  use  this  type  of  data,  thereby  de- 
priving biomedical  researchers  access  to  critical  information.  The  proposed  rule 
should  be  changed  to  create  a  more  reasonable  set  of  identifiers  that  may  be  used 
to  meet  a  test  of  presiimptively  de-identified  data. 

The  proposed  rule  creates  burdensome  restrictions  on  the  disclosure  and  use  of 
protected  information  not  subject  to  the  Common  Rule. 

Under  c\irrent  law,  FDA  regulations  and  the  "Common  Rule"  protect  patients  who 
participate  in  cUnical  trials.  This  includes  safeguards  such  as  oversight  by  Institu- 
tional Review  Boards  (IRBs),  informed  consent  requirements,  and  other  protections. 

Some  medical  research,  however,  falls  outside  the  Common  Riile.  Examples  in- 
clude medical  record  review  and  certain  "pre-cUnical"  research. 

The  proposed  rule,  in  effect,  extends  the  Common  Rule  to  aU  research.  Not  only 
does  this  go  beyond  the  Secretary's  authority  under  HIPAA,  but  it  will  also  impose 
excessive  restrictions  or  layers  of  bureaucracy  on  this  research. 

Instead  of  the  language  in  the  proposed  rule,  BIO  supports  the  structxire  devel- 
oped in  the  Frist-Kennedy  provisions  contained  in  the  Chairman's  mark. 
[  Conclusion 

As  the  Congress  reviews  and  debates  issues  relating  to  the  privacy  of  personal 
health  information,  our  industry  urges  you  to  remember  that  the  public  has  a  strong 
I    interest  in  the  medical  achievements  of  biotechnology.  The  biotechnology  industry 
j    is  on  the  cusp  of  developing  promising  new  drugs  and  treatments  for  people  with 
I    serious  diseases. 

While  it  is  critical  to  protect  patients'  confidentiality  rights,  imposing  too  many 
restrictions  on  access  to  important  data  will  slow  research  efforts.  Congress  must 
facilitate  the  positive  uses  of  medical  information  to  continue  the  breakthrough  sci- 
entific achievements  into  the  next  century. 

I  appreciate  the  opportunity  to  testify  and  look  forward  to  working  with  you  in 
this  endeavor. 

The  American  Psychiatric  Association  (APA),  a  medical  specialty  society  rep- 
resenting more  than  40,000  psychiatric  physicians  nationwide,  believes  that  Presi- 
dent Clinton's  proposed  medical  privacy  regulation  is  an  intended  first  step  toward 

Erotecting  patient  privacy.  Unfortimately,  the  proposed  regulation  would  move  us 
ackwards,  because  it  no  longer  requires  that  patient  consent  be  obtained  before 
medical  records  are  used  or  disseminated  for  a  broad  range  of  purposes.  Accordingly, 
we  beheve  that  before  any  regulations  are  finaUzed,  additional  protections  are  es- 
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sential  to  provide  the  level  of  patient  privacy  needed  to  insiire  high  quality  health 
care. 

In  his  State  of  the  Union  address,  President  Clinton  stated  that  the  final  regula- 
tions would  be  issued  this  year,  and  we  encourage  members  of  Congress  to  convey 
to  the  Clinton  Administration  their  belief  that  privacy  protections  need  to  be  added 
to  the  proposal.  As  the  attached  Journal  of  the  American  Medical  Association  edi- 
torial indicates,  it  is  critically  important  to  include  the  following  additional  privacy 
protections  before  the  proposed  privacy  regulations  are  finalized: 

1)  The  Administration's  proposal  turns  its  back  on  the  traditional  requirement  for 
patient  consent  before  the  dissemination  of  medical  records  information.  Regret- 
tably, the  proposed  rule  would  authorize  automatic  dissemination  of  patients'  medi- 
cal records,  including  highly  sensitive  information  (such  as  mental  health  and  repro- 
ductive health  information),  for  broadly  defined  "treatment,  payment,  and  health 
care  operations  purposes."  Unless  these  provisions  are  changed  patients  would  lose 
certain  privacy  protections  they  now  enjoy.  APA  recommends  that  patient  consent 
as  it  operates  today  must  be  preserved  and  indeed  strengthened. 

2)  Meaningful  limitations  on  the  disclosiire  of  medical  records  information  in 
criminal  and  civil  coiut  cases,  to  employers  and  to  "government  health  data  sys- 
tems" are  necessary. 

3)  We  need  additional  protection  to  ensure  that  patients'  highly  sensitive  medical 
information,  including  information  on  mental  health  treatment,  is  only  disclosed 
with  the  consent  of  the  patient. 

We  support  nxmierous  positive  provisions  in  the  proposed  privacy  regulations  in- 
cluding: 

— ^the  general  rule  of  non-preemption  of  state  laws  more  protective  of  privacy 
— ^the  opportunity  for  patients  to  request  additional  privacy  protections 
— extension  of  federal  "common  rule"  research  protections  to  privately  funded  re- 
search 

Thank  you  for  considering  our  views. 
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ol  the  ajtinrs  ind  Tx  Jouwm.  nd  not  ttnse  of 
0«  Anenon  Aitedo^  AsDcUion. 


Journal  of  the  American  Medical  Association 
February  9, 2000 

hreats  to  the  Confidentiality 

i  Medical  Records— No  Place  to  Hide 


ai  S.  AppdbiBP,  MP 


F  mVACr  tS  NOT  AN  EXTINCT  PHENOMENON,  U  CEX- 
aiahf  is  m  exKbsfercd  one  Entreprtsecxs— often  os- 
isg  qMesDonibk  tactics — offer  iccess  to  pdyal£  data 
about  persoss  iiuzxTus  aod  obscure'  More  msidioasly, 
basybodies*  gather  mrfVss  mfoTmadoo  about 
ifl,  as  we  dieck  om  at  snpcrmarkm,  irakr  purchases  widi 
it  cards,  and  browse  Web  sites  wbcrc  rrrry  dick  of  a 
use  rrrtals  something  about  oai  peculiarities  and 
terences."  There  is,  incrra singly,  no  place  to  hide, 
aoogji  die  coaaactioa  ol-ptrncv  is  other  spheres  may 
aase  kx  aaacxra,  ia.inedirinf  the  probiem  is  particu- 
j  liUTu  ul«  Daaasds  for  access  to  medical  informaboQ 
put  fianrard  in  the  oame  of  ca»  savings,,  quality  im- 
maeni,  pubfic  heaUL,  advances  in  research,  and  odier 
iaUe  gpab/  Managed  care  companies  insist  oo  review- 
mrdiral  charts  to  determine  if  care  should  be  autho- 
d;  " '  I  wtiring  bodies  want  id  ascertain  that  chnioans' 
s  are  detailed  aztd  complete; ^orenunent  agencies  seek 
\d£abk  informaiioo  iar  planning  purposes  and  to  pre- 
t  EtauD^  and  law  eniorcasent  agencies  see  in  mrtftral 
wds  a  means  to  vdentiiy  and  coovia  wrongdoers.  Most 
lie  tisae,  kxzss  to  these  records  is  sought  without  pa- 
ts'kaowiedgc  or  (in  more  than  a  txmahstic  way)  cocsenL - 
harmacy  benefits  manageanent  fPBMX  disaissfd  by  Lo 
Alpers  mihis  isae  of  Tiffi  Journal,*  exeinplifies  the  coii- 
s  evoked  by  the  orw  ways  in  which  identi&abk  laedical 
,  in  this  case  prescription  drctg  data,  fs  being  used, 
of  hard  evidence  dcsKXiscradng  dut  aggres- 
,  of  prescripcioD  practices  eSiher  saves  money 
i^M[jms  care,  milbons  of  panent  records  each  year  are 
"^"'■■^  by  PbM '  ^  ir^i'r'i^''^.  the  largest amcog  ri>f  lii  owned 
^anaceutical  '  ■  rmjini^  that  have  overt  frrmv-ial  cq. 
;s  in  matapuhting  prescribing  practices.^  Panents  are  not 
that  these  entities  will  have  access  to  their  records  (a  re- 
snrvcy  suggests  thai  they  wouki  object  if  d>ey  knew*) 

y«t       r>rnrmTWT>/^afi/in<;  fir  rhsn^  vn  nvArafifm  Tggi- 

s  that  are  ma<k  by  dieir  pharmacists  and  pbysidaDS  toay 
Ttnubtyfl  by  a  aiQ  frotn  a  P6M  company. 

CgulatiOOS  on  the  tse     rrw>r<v-al  mffTrmafVTW  haw  lagged 

ni  (he  nptd}y  protiferaring  purposes  bx  the  disenma- 
o^snch  data.  AhhoQgfa  ^0%  of  Tespoodenis  to  a  sor- 
xlieved  diat  the  pcivacy  of  tboT  medical  records  was  pro- 


tected  by  federal  law,'  in  fact  no  comprehensive  federal 
legislancai  or  regulatioo  exists.  Even  at  the  state  level,  legal 
proteoiajs  are  spotty,  especially  for  disdoOTB  and  use  of  in- 
fcrmataii  by  entities  (eg,  insorers,  managed  care  Of  gaiilzatioDS, 
pharmades)  other  than  diose  providing  direa  care,  indud- 
ing  secondary  disclosure  for  such  purposes  as  marketing.* 

Congress  has  intensiBed  its  straggle  with  crafting  medical 
privacy  legislation  ever  since  the  £ailnre  of  the  Gintoc  health 
plaii,  but  to  htlk  cfieci.  It  has  been  unable  to  resoive  the  coii- 
S&a  between  diose  forces  seeking  greater  availability  of  medi- 
cal  record  information -and  advocates  of  nvdical  privacy.** 
To  stinrulate-aaion  oo-die  isoc^  Congress  seiaseira  dead- 
fine  of  j^igust  1 999  lor  the  enactment  of  comprehensivt  medi- 
cal privacy  legislation  when  it  pased  die  Health  Insurance 
Portabihty  and  Accountability  Actof 1996.  Gongres'£rilnre 
10  meet  that  deadbne  has  triggered  another  pFovisiod  in  the 
biB  that  empowes  the  Departmem  of  Health  and  ^imnan  Ser- 
vices CDlBiS)  to  isue  r^ulations  that  attempt  to  accom- 
plish what  Congress  could  ^^o{  do  oo  its  own.  An  initial  draft 
of  those  regulations  .has  ^been.  published  for  public  coin- 
menL"  At  ^  dose  of  the  comment  period  oo  February  L7, 
2C0C,thrlDHHS  w^  have  an oppdrcadiy-Go  modify  £e  re^ 
ktiotjs  before  they  are  iSBOfid  in  final  fcinL  ~ ' 

It  is  worth  paying  ckseattmfinn  to  the  details  of  daePHHS 
-pnjposal  Althon^  several  -new  areas  of  protection  ior  ia- 
ibrmation  are  creat£d,~mai]^  provisioos  bavrfeneiated  un- 
derstandable concern'  amot^  advocates -for medical  pri- 
vacy. As  drafted,  the  regulations^  address  oo^^mfoixtuuioo 
that  *is  or  at  some  point  has  been  electronicaSy  auin- 
-tiined  or  transmincd.  .  .  . pres^unaidy  tlis  iQ_ 
dudes  every  in<niical  note  typed  on  a  word  piucessor,  as  weO 
as  bdhng  and  other  informatioo  seiU  in  ekctrooic  fbrm.  But 
DHHS  apparendy  believes  that  it  has  stamtoty  aud»rity  to  . 
fTtfTK^  these  regulations  to  all  Iv^lfh  information  awl  has 
invited  input  as  to  whether  it  should  do  so.  Given  the  dif- 
ficulties with  treating  mediral  records  differently  depend- 
ing on  whether  they  ever  existed  in  ekctromc  iorin,  it  seesss 
likely  that  the  final  regulatioos  (barring ct»gressioaal  dis- 
sent) ultimately  will  apply  to  all  medical  inform^oon. 

First  and  foremost,  the  proposed  regdaocns  would  abol- 
ish the  traditiooal  principle  that  patients'  consent  is  gener- 
ally reqxnred  before  their  medifal  inf onnadoQ  can  be  re- 

AflgMTA/ieaeoK  Departnento^  Piydittty,  Untictay MifiM^^  Arte*- 
S^uci  Worccsaef. 

iiOrUiiMlwiwdi  *i><iii<'i-t«T<  Tfiiti  nm  n  Vrtiii  itii. 


Jr*MA,Fet»Miy9.»X)-Vcia3,Na  6  7fi 
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leased  to  third  parties.  'Under  our  proposal,  most  uses  and 
disclosures  of  an  individual's  protected  health  information 
would  not  require  explicit  authorization  by  the  indi- 
vidual . .  Instead,  the  rcgubtions  define  the  cir- 
cumstances in  which  disclosure  can  occur.  Within  the  broad 
categories  of  'treatment,  payment,  and  health  care  open- 
tions,'  for  example,  information  could  be  released  without 
patients'  knowledge,  consent,  or  even  ability  to  track  ret- 
rospectively who  received  the  data. 

What  would  this  mean  in  practice?  Under  the  treatment 
provisicHK,  information  could  be  passed  automatically  to  any 
entity  hired  by  a  health  plan  to  coordinate  or  manage  care, 
inchiding  indqxndent  disease  managenient  oiganizations,  such 
as  those  discussed  by  Lo  and  A^KES.*  Patients  would  no  longer 

aHy  Tf>  prPTf^t  thf<t»  mmpani*^  frrtm  nbtainiiig  thfir  mxii- 

cal  records.  Nor  would  a  patient  who  had  a  sodal  acquain- 
tance with  a  physician  to  whom  he  or  she  was  being  lefened 
have  the  power  to  Uodc  transfer  of  potentially  embarrassing 
information  to  that  caregiver.  Physicians  who  wanted  to  ad- 
here to  a  higher  standard  widi  their  patients  (,tg,  would  oof 
disclose  any  information  ohless  the  patient  provides  wiitten  '. 
authorization  to  do  would  be  prohibited  from  malting  such ' 
a  pronuse."*!^"  indeed,  so  broad  b  the  scope  of  this  piovi- 
sion  in  DHHS  view  that  a  phyndan  treating  a  patidit  could  - 
examine  the  records  of  any  other  patient  with  a  siinilar  con- 
dition, or  of  any  persons  in  the  same  family  or  from  the  saiae 
household"*''''^  Under  the  payment  and  health  care  c^xTft- 
tions  {HWisibns.  entities  conducting  utilization  review,  qua^ 
iqr  assessment,  or  training  of  any  hea^  care  providers  in  on*, 
dergraduate  or  graduau  programs  would  have  similarly 


B^ond  diese  broad  categories  in  Whidi  patieiuswoiild  lose 
conq^ete  control  over  their  medical  informaticHi,  tlie|>n»- 
'  posed  icgulatibm  set  forth  a  sdies  of  otherTniiposes 
records  could  be'rdeased  wiihout  patient  consent.  Soiiie  of 
these  tire  sensibk.  suich-as  nlcajie  in  emetgoKies  or  rqxnt- 
ing  of  pubUc  health  threats.  Others,  however,  are  troubling. 
In  UtigBtioii.  an  attorney  could  obtam  a  patient's  medical  re- 
cords'with  «  written  statement  certifying  that  the  protected 
healdi  information  requested  concerns  a  litigant  to  the  pro- 
ceeding and  dut  the  health  condition  of  sudi  htignffE  at  is- 
sue in  sodi  {woceedings.""*''"^  In  dke  absence  of  ■  reqime- 
ment  for  judicial  review,  this  is  an  invitation  to  attorneys  to 
concoa  specious  grounds  tor  obtaining  access  to  medical  re- 
cords. e^>ecially  if  diose  recoids  ate  bdieved  to  contain  em- 
barrassiiig  infrnixiation.  Similai)y,^)cdfied  medical  infen^ 
tion  could  be  disclosed  to  the  police  at  thdr  request  to  hdp 


sons,  or  even  to  determine  whether  a  crime  had  oocuncd." 
(pMosn  Although  disclosure  would  not  be  coinpdledmiderthc« 
drnunstancf?.  it  is  diffirglt  tninw^wr  pbyyicMm  mi  faciB- 
ties,  who  rely  on  the  good  will  of  the  local  pohce,  potting  up 
inucfa  resistaiice  vidien  the  r^ubiioas  permit  discksnrc 

mation  from  insuros  or  diiidfanr^  administnuois  oCsdf- 


insured  pbms.  unless  they  proclaimed  their  intent  to  use  it  for 
'employiment  determinations.*  Once  in  their  hands,  dwu^i — 
and  the  practice  is  now  believed  to  be  widespread— the  in- 
formation could  be  used  covertly  to  the  detriment  of  employ- 
ees who  theinselves  or  whose  Cunilics  are  inaming  substantia 
s."*"***'**  Agencies  at  almost  any  level  of  gov- 
,  or  private  entities  acting  at  their  behest,  would  have 
broad  access  under  the  proposed  r^ulations  to  identifiable 
medical  data.  Release  would  be  permitted 'for  inclusion  in  a 
governmental  health  dau  ^stem  that  o^ects  health  dau  for 
analysis  in  suj^xxt  of  poli^,  {banning,  regubioiy,  or  man- 
agement fiinctkms  audtorized  by  law,""*'*^  Almost  eveiy 
government  agency  carries  out  at  least  I  of  those  functions. 

On  the  other  hand,  certain  pontive  aspects  of  these  pro- 
posed regulations  caimot  be  ignored.  The  proposed  re^ila- 
tions  would  require  patient  consent  before  infonnation  could 
be  used  for  mariuting:  sold,  rented,  or  bartered;  disclosed  to 
non-heakh-rdated  divisions  of  a  covered  entity  (eg.  for  mort- 
gage dedsions);  used  for  enroDmeiu  dedsioiis  in  a  heahh  plan; 
or  uised  for  fundiaising  purpa5es."''**""^tes  would  beal- 
lo!inEd  to  retain  or  cicatie  laws  diat  {Rxm^ 
tectiiDn  for  health  infatmation  privacy.  Inmost  cases,  hold- 
ers of  information  would  be  chafed  .with  rdeasiag  the 

fmiiiiwiif  m  amnaint  iwr<.<atiy  tn  «fimwipliA  thr-intmitrA  gwJ 

ProUKXiMis  wouU  be  incTBued  br  Ttoinds  being  sought  for 
rescartji.paiposes,  including  for  healdt  services  resesdi,  in 
circumstances  in  which  it  may  not  be  ieasibk  to  obtain  oon- 
seitti'Befate  access  widiout  ansem  could  occur .  aD  research-— 
iibtjost-  diose  federally  fimded  studies  now.  covered  umler. 
the  Ommion  ItnIe"-^-wpuld  have  to  meet  an  enhanced  set 
iof  criterii^  tedtiding  rnfaihnal  ridt  to  sttl]jects:  an  iiudjOi^tb 
conduct  the  research  withotft  waiver  of  consent;  an  ad- 
equate plan  toprotmaiidultiniatdydeslic^sidije^  . 
:fiei$;jand  deteiminatioiiiiyimiiistimtion^  teviewJwawl-or  - 
privity  booid  dwt  the  importainGeofthercseardiodtweiglhs 
the  taitrusion  on'sttl^eas^'priWacy,;. 

On  the  whole,  thoHi^  ^  cmrent  proposal  tilts  too  fiv  in 
the  direction  of  dtsriosing  private  mfdical  information  tor  » 
broad  set  of  pniposes.  Each  tiine  the  privacy  of  inedical  rec- 
ords is  traded  for  some  other  puiponcd  good,  there  is  a  real 
risk  of  dissuadiiig  pet^  from  coming  for  treatinent  or  bom 
revealing  the  information  diat  pfaysidaiis  iieed  to  provide  ad- 
equate care.*  The  answer  to  die  drficiencirt  in  the  current 
^stem  ought  not  to  be  to  abandon  aD  pretense  of  allowing 
patients  to  control  who  sees  dieir  pasonal  medical  infonna- 
tion. Instead,  die  filial  vcsion  of  ^ese  iegiilatk>ns  dtoold  le- 
store  patieiief  traditicmal  power  to  inaiiuain  their  privacy,  and 
reset  the  balance  between  access  and  privacy  ina  manner  mote 
accommodating  of  patients^  interests  and  more  bdlitativte  of 
die  pnwision    qinlity  inedical  care. 
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The  Chairman.  Mr.  Kahn.  , 

Mr.  Kahn.  Thank  you,  Mr.  Chairman.  I  appreciate  the  oppor- 
tunity to  testify  here  today  to  discuss  the  proposed  rules  issued  by  ; 
the  Secretary  of  Health  and  Human  Services  on  the  confidentiality  ; 
of  medical  information  as  well  as  how  best  to  protect  the  confiden- 
tiality of  medical  information  for  individual  Americans.  j. 

Despite  the  Secretary's  diligent  work,  the  regulations  have  flaws,  i 
Certain  of  these  flaws  can  be  fixed  in  the  regulatory  process,  but 
others  are  unavoidable  and  point  to  the  need  as  envisioned  by  the  , 
framers  of  the  Health  Insurance  Portability  and  Accountability  Act 
for  the  Congress  to  legislate  the  rules  to  protect  the  confidentiality  | 
of  our  personal  medical  information. 

Today  I  will  focus  on  four  areas  which  highlight  why  Federal  leg-  ^ 
islation  is  necessary,  as  well  as  what  should  be  revised  in  the  Sec- 
retary's regulations — ^uniformity,  consistency,  reach  for  enforce-  l 
ment,  and  health  care  quality. 

First,  uniformity.  Lacking  the  authority  to  preempt  State  laws, 
the  Secretary's  regulations  alone  cannot  achieve  uniformity.  It  will 
take  a  new  Federal  law  to  provide  uniform  national  protections 
with  increasingly  conflicting  State  and  Federal  laws.  The  use  of  \ 
health  information  for  billing,  claims  payment,  quality  improve-  , 
ment,  as  well  as  other  core  functions  for  insurance  is  increasingly  j 
carried  out  across  State  lines  through  electronic  data  systems.  In-  |  , 
consistency  between  State  and  Federal  laws  and  correspondingly  j  , 
high  compliance  costs  for  meeting  this  multitude  of  requirements  { 
will  impede  my  industry's  ability  to  operate  more  effectively  for  the  j 
consumer.  j 

But  beyond  costs,  inconsistency  can  not  only  lead  to  confusion  for  i  j 
consumers  but  could  adversely  affect  their  medical  care.  j 

On  consistency,  congressional  action  is  also  needed  to  bring  |  j 
greater  rationality  to  the  expanding  number  of  Federal  confiden- 
tiality requirements.  Confidentiality  rules  must  be  consistent  1 1 
across  the  laws  regulating  insurance  products.  Overlapping  Federal  I 
confidentiality  requirements  being  considered  in  different  legisla- 
tion and  regulatory  arenas  may  give  rise  to  an  irrational  system  of 
protections  that  will  have  inconsistent  requirements  and  possibly 
conflicting  requirements.  i 

For  example,  the  confidentiality  rules  in  the  recently  enacted  i  n 
Gramm-Leach-Bliley  Act  overlap  in  significant  ways  with  the  Sec-  ^  H 
retar/s  proposed  confidentiality  regulations,  and  even  the  adminis-  [  J 
tration  of  the  new  financial  services  law  is  likely  to  be  problematic  |;  J 
since  HHS  is  not  among  the  Federal  agencies  with  jurisdiction  over  j  \ 
Gramm-Leach-Bliley  but  obviously  still  controls  the  HIPAA  rules  i  se 
regarding  confidentiality.  ^ 

On  reach,  I  must  say  that  in  the  area  of  reach,  we  take  a  dif-  i  J 
ferent  view  than  the  General  Accounting  Office.  We  believe  the  pro-  I 
posed  HHS  confidentiality  regulations  overstep  regulatory  author-  1 
ity  provided  by  HIPAA.  HIPAA  does  not  give  the  Secretary  the  au-  I 
thority  to  hold  all  of  those  who  may  be  responsible  for  confidential-  ^  J 
ity  breaches  responsible  for  their  actions.  This  is  a  flaw  that  calls  a  ^ 
for  congressional  authority  and  means  for  enforcement.  P  k 

But  the  Secretary  has  chosen  to  make  medical  providers,  health  !; 
plans  or  insurers  and  employers  responsible  for  business  partners  ^  J 
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who  are  not  otherwise  covered  by  HIPAA,  yet  handle  medical  infor- 
mation. This  requirement,  which  is  not  mentioned  or  implied  in 
HIPAA,  would  compel  insurers,  for  example,  to  renegotiate  hun- 
dreds of  thousands  of  contracts  with  those  it  has  business  arrange- 
ments with  and  accept  new  responsibilities  for  the  operations  of 
their  contractors.  This  would  not  only  be  disruptive  to  consumers, 
but  most  importantly,  would  place  the  covered  entities  like  insurers 
in  the  role  of  the  policemen  for  the  Grovemment. 

Not  only  do  the  Secretary's  regulations  pass  on  the  responsibility 
for  enforcement  of  its  rules  for  uncovered  entities  to  such  as  insur- 
ers, but  it  also  makes  the  covered  entities  liable  in  court  for  the 
breaches  to  the  regulations  by  those  uncovered  entities.  The  pro- 
posed regulations  establish  a  private  contract  right  of  action  allow- 
ing individuals  to  sue  for  breaches  of  confidentiality.  This  new  pri- 
vate right  of  action  is  no  way  to  enforce  compliance  and  will  in- 
crease the  cost  of  care  to  all  of  us. 

Regardless  of  one's  view  on  the  merits  of  increased  litigation,  it 
is  clear  that  public  policy  change  of  this  magnitude  should  receive 
a  thorough  congressional  airing  rather  than  being  achieved  through 
the  back  door  of  regulation. 

Finally,  on  quality,  we  are  concerned  that  the  proposed  regula- 
tions do  not  yet  achieve  the  right  balance  between  protecting  con- 
fidentiality and  ensuring  high-quality  care.  We  applaud  the  Sec- 
retary for  recognizing  the  importance  of  allowing  health  plans  and 
providers  to  share  information  for  certain  health  care  operations 
that  support  patient  treatment  and  claims  payment.  However,  the 
final  rules  should  adso  recognize  the  importance  of  shsiring  informa- 
tion to  carry  out  disease  management  programs,  anti-fraud  initia- 
tives, and  patient  safety  activities.  Some  of  the  narrow  standards 
in  the  proposed  rules  could  in  practice  have  a  chilling  effect  on 
these  important  functions. 

Once  2igain,  let  me  thank  you  for  the  opportunity  to  testify  today. 
I  will  be  happy  to  answer  any  questions  you  may  have  on  the  topic. 

The  Chairman.  Thank  you,  Mr.  Kahn. 

[The  prepared  statement  of  Mr.  Kahn  follows:] 

Prepared  Statement  of  Charles  N.  Kahn  III 

Mr.  Chairman,  distinguished  members  of  the  Committee,  I  am  Charles  N.  Kahn 
III,  President  of  the  He^th  Insurance  Association  of  America  (HIAA).  Before  joining 
HIAA,  I  devoted  a  signiflcant  portion  of  my  professional  Ufe  to  working  as  a  staff 
member  for  a  former  member  of  this  Committee,  and  as  Staff  Director  to  the  House 
Ways  and  Means  Subcommittee  on  Health.  My  experience  in  the  Senate  includes 
service  as  senior  health  policy  advisor  to  Senator  David  Durenburger  (R-MN),  when 
he  was  chairman  of  the  Senate  Finance  Committee's  Health  Subcommittee  and 
service  as  legislative  assistant  for  health  to  then-Senator  Dan  Quayle  (R-IN). 

Thank  you  for  the  opportunity  to  present  testimony  before  this  committee  on  be- 
half of  the  HIAA  and  its  member  companies  on  this  extremely  important  topic. 
HIAA  is  the  nation's  most  prominent  trade  association  representing  the  private 
'  health  care  system.  Its  290  members  provide  health,  long-term  care,  dental,  disabil- 
ity, and  supplemental  coverage  to  more  than  123  miUion  Americans.  With  the  explo- 
i  sive  growth  in  medical  and  computer  technology  and  the  rapid  changes  in  society 
j    oyer  the  past  few  years,  health  information  has  become  an  essential  tool  in  this  na- 
tion's health  care  system.  In  the  past,  people  would  see  one  family  doctor  for  their 
medical  care.  Today,  patients  turn  to  a  diverse  group  of  health  care  practitioners 
I    including  specialists  and  allied  health  care  professionals.  In  this  type  of  environ- 
ment, effective  care  depends  on  practitioners  who  are  able  to  share  and  commu- 
nicate about  a  patient's  medical  information.  With  a  system  of  integrated  care  and 
computerized  transactions,  the  free  flow  of  medical  information  becomes  even  more 


88 

critical.  Accurate,  readily  available  health  information  is  vital  to  determining  the 
best  course  of  treatment  for  a  patient. 

While  ensuring  the  most  appropriate  patient  care  is  clearly  the  paramount  use 
for  medical  records,  health  information  also  is  critical  to  basic  insurance  functions. 
Both  public  and  private  payers  require  personal  health  information  in  order  to  ad- 
minister health  care  benefits.  As  noted  by  the  General  Accoimting  Office  (GAO), 
"[pjersonally  identifiable  information  is  essential  to  the  Health  Care  Financing  Ad- 
ministration's (HCFA's)  day-to-day  administration  of  the  Medicare  Program."  Such 
information  is  equally  vital  to  third  party  payers  in  the  private  market. 

Public  and  private  payers  need  personally  identifiable  patient  information  pri- 
marily to  pay  billions  of  health  care  claims  each  year.  Payers  also  use  this  informa- 
tion in  a  number  of  other  vital  areas.  These  include: 

Determining  eligibility  for  benefits 

Determining  risk-adjustment  mechanisms 

Detection  and  prevention  of  fi*aud  and  abuse. 

Other  important  fiinctions  of  health  information  include  assuring  health  care 
quality,  measuring  health  outcomes,  and  ensuring  that  patients  receive  preventive 
services. 

State  and  federal  confidentiality  laws — and  the  controls  they  exercise  over  the  ex- 
change of  information — have  a  significant  impact  on  day-to-day  health  insurance 
and  health  plan  business  operations.  These  laws  generally  contain  rules  governing 
claims  administration,  enrollment  processes,  payment  and  remittance  procedures, 
referrals  and  authorization  certifications,  quality  improvement  and  research  activi- 
ties just  to  name  a  few. 

We  recognize  consumers'  concerns  with  the  confidentiality  of  their  health  informa- 
tion and  agree  that  these  concerns  must  be  addressed.  HIAA  member  companies 
have  had,  and  will  continue  to  have,  strict  standards  for  protecting  patient  medical 
records.  In  addition,  HIAA  has  been  a  vocal  proponent  of  the  need  to  safeguard  indi- 
vidually identifiable  health  information  through  balanced  federal  legislation  that 
protects  personal  health  information  fi'om  public  disclosure  while  ensuring  that  in- 
formation is  available  to  carry  out  basic  insurance  and  health  plan  fiinctions. 

However,  while  we  must  address  consumer  concerns,  we  also  must  be  careftil  not 
to  adopt  overly  prescriptive  legislation  that  undermines  the  ability  of  the  health 
care  industry  to  provide  these  same  consumers  with  the  high  quality,  affordable 
health  care  services. 

That  is  why  HIAA  supports  balanced  and  responsible  federal  legislation  of  con- 
fidentiality that  provides  strong  protections  for  consumers  while  at  the  same  time 
not  placing  undue  regulatory  burdens  on  the  private  health  care  system.  Such  legis- 
lation also  must  include  a  strong  state  preemption. 

The  primary  difficulty  with  state  confidentiality  laws  and  regulations  is  a  lack  of 
uniformity.  At  the  July  20,  1999,  hearing  of  the  Committee  on  Ways  and  Means 
Subcommittee  on  Health  on  Confidentiality  of  Health  Information,  the  GAO  noted 
several  problems  faced  by  HCFA  when  state  laws  are  not  uniform  for  confidentiality 
of  health  information.  First,  if  HCFA  could  not  receive  uniform  health  information 
fi'om  sources  in  all  states,  internal  operations  such  as  rate  setting  and  quality  assur- 
ance monitoring  could  suffer.  Second,  barriers  to  information  gathering  could  affect 
the  ability  of  government  analysts  to  perform  public  policy  analysis  and  health  serv- 
ices research  because  of  the  compliance  burden  created  by  various  non-uniform  state 
laws. 

Private  payers  face  similar  dilemmas  when  state  confidentiality  laws  are  not  con- 
sistent. The  current  patchwork  of  state  confidentiality  laws  leaves  consumers  with 
fewer  protections  in  some  states  than  in  others. 

Moreover,  laws  and  regulations  governing  the  collection,  use,  transmission,  and 
disclosure  of  health  information  have  a  major  impact  on  insurers'  core  business  and 
systems  fiinctions.  These  critical  fiinctions  increasingly  are  carried  out  across  state 
lines  by  insurance  companies  and  contractors  through  computer  data  transaction 
systems.  Inconsistent  state  laws  governing  health  information  confidentiality  could 
impede  the  insurance  industrjr's  ability  to  operate  efficiently  and  meet  the  demands 
of  its  customers. 

The  resources  that  must  be  devoted  to  compliance  with  the  myriad  state  laws  can 
be  significant. 

Adding  a  new  layer  of  federal  regulation  without  preempting  existing  state  con- 
fidentiality laws  would  only  compound  the  difficulty.  Consequently,  HIAA  would 
support  only  federal  legislation  that  preempted  most  state  laws. 

In  May  1999,  the  HIAA  Board  of  Directors  adopted  formal  policy  supporting  en- 
actment of  federal  confidentiality  legislation.  This  policy  contains  five  important 
principles. 
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First,  HIAA  believes  there  should  he  federal  standards  for  confidentiality  of  patient 
health  information. 

Such  federal  standards  are  critical  to  guaranteeing  uniform  and  consistent  treat- 
ment of  patient  health  information  across  all  50  states.  With  the  Health  Insurance 
Portability  and  Accountability  Act  of  1996  (HIPAA),  Congress  took  important  steps 
in  the  right  direction  by  requiring  standardized  electronic  transmission  of  health 
care  information  with  appropriate  security  protections.  HIAA  beUeves  strongly  that 
a  federal  uniform  standard  is  the  only  way  to  avoid  dual  regulation  for  medical 
records.  State  authority  should  remain  paramount  over  areas  of  confidentiality  not 
in  conflict  with  national  uniformity  and  consistency,  such  as  state  reporting  require- 
ments for  public  health  and  safety  dangers. 

The  second  principle  of  HIAA's  policy  is  a  commitment  to  strong  and  consistent  con- 
fidentiality protections  for  all  individually  identifiable  patient  health  informa- 
tion. 

HIAA  believes  that  all  sensitive,  personal  health  information  should  be  kept  con- 
fidential. Certain  types  of  health  imormation  or  information  about  illnesses  should 
not  be  singled  out  legislatively  for  stronger  or  weaker  protection. 

Third,  HIAA  believes  that  any  confidentiality  standards  should  recognize  the  need 
for  appropriate  use  of  patient  health  information  and  acknowledge  that  access 
to  health  information  often  is  critical  to  providing  quality  care  for  patients. 

Today,  most  health  care  services  are  delivered  through  some  form  of  coordinated 
or  organized  system.  As  health  plans,  providers,  hospitals,  pimihasers,  and  others 
in  the  health  care  industry  continue  to  design  and  enter  into  innovative  health  care 
delivery  arrangements,  it  will  become  more  and  more  important  to  recognize  that 
appropriate  information  sharing  must  occur  within  that  system  to  make  sure  pa- 
tients receive  appropriate  health  care. 

The  trend  toward  the  coordinated  care  delivery  provides  greater  opportunities  to 
protect  confidential  patient  health  information  and  to  ensure  such  information  is 
used  appropriately  to  benefit  consumers.  Such  coordinated  systems  enable  improved 
tracking  of^  an  individual's  health  information  to  better  monitor  appropriate  access 
to  and  use  of  such  information. 

Fourth,  HIAA  believes  that  standards  should  not  impede  public  and  private  sector 
efforts  to  combat  health  care  waste,  fraud,  and  abuse. 

Patient  medical  information  and  the  ability  to  share  that  information  are  key  to 
state,  federal,  and  insurer  anti-fraud  activities.  A  1999  audit  by  the  Office  of  the 
Inspector  General  of  the  Department  of  Health  and  Human  Services  (HHS)  found 
that  Medicare  made  improper  payments  of  over  $13  biUion  in  fiscal  year  1999  alone. 
The  GAO  has  estimated  that  health  care  fraud  accounts  for  up  to  10  percent  of  na- 
tional health  care  spending  each  year. 

Unfortunately,  it  is  true  that  insurance  information  and  patient  information  are 
the  fi*equently  used  to  commit  health  care  fi*aud.  For  instance,  providers  cannot  fal- 
sify claims  and  medical  equipment  suppliers  cannot  submit  inflated  bills  without  ac- 
cess to  patient  information.  However,  this  information  also  is  critical  to  combating 
fi*aud.  Investigators  must  rely  heavily  on  medical  records  to  document  these  cases. 

This  does  not  necessarily  mean  that  individually  identifiable  patient  information 
must  be  publicly  disclosed  in  order  to  successfully  investigate  and  prosecute  fraud. 
However,  fraud  investigators  in  both  the  public  and  private  sectors  must  continue 
to  have  access  to  such  information.  Federal  confidentiaUty  legislation,  therefore, 
should  not  be  overly  prescriptive. 

Finally,  HIAA  supports  fair  penalties  as  a  strong  deterrent  to  misuse  of  individually 
identifiable  health  information,  rather  than  process-oriented  regulatory  require- 
ments. 

HIAA  believes  there  should  be  strong  administrative  penalties  for  those  who  inap- 
propriately use  or  disclose  sensitive,  individually  identifiable  health  information. 
New  penalties  should  only  be  authorized  for  material  violations  that  lead  to  dem- 
'     onstrated  harm  to  consumers,  not  for  administrative  mistakes  or  errors.. 

In  addition  to  its  confidentiality  policy  recommendations,  HIAA  also  has  submit- 
ted comments  on  regulations  proposed  by  the  Secretary  of  HHS  under  the  authority 
granted  to  her  by  HIPAA. 

With  these  proposed  regulations,  the  Secretary  clearly  has  recognized  the  impor- 
tance of  the  fi*ee  flow  of  information  in  today's  health  care  system.  Over  the  years, 
health  plans  and  insurers  have  had  an  exemplary  track  record  of  maintaining  the 
confidentiaUty  of  personal  health  information.  The  Secretary's  proposed  regulations 
acknowledge  this  strong  record  by  generally  allowing  such  information  sharing  to 
continue.  It  is  vital  that  information  sharing  continue  among  health  plans  and  in- 


90 

surers,  health  care  providers,  and  health  care  clearinghouses  for  purposes  of  treat- 
ment, payment,  and  health  care  operations.  Overly  restrictive  barriers  to  such  ex- 
changes are  potentially  harmful  to  patients. 

Unfortunately,  in  several  areas,  the  Secretary's  proposed  regulations  inadvert- 
ently impose  onerous  and  unnecessary  burdens  on  health  plans  and  insurers,  and 
on  the  health  care  system  in  general.  In  some  instances,  the  regulations  on  "pro- 
tected health  information"  would  result  in  onerous  mechanistic  administrative  re- 
quirements in  such  areas  as  record  retention  and  inspection,  and  on  covered  enti- 
ties. 

Moreover,  HIAA  believes  the  Secretary  should  be  extremely  cautious  in  this  area 
and  should  adhere  closely  to  the  limited  statutory  authority  granted  by  HIPAA. 
HIPAA  provides  the  Secretary  with  hmited  authority  to  propose  confidentiaUty  reg- 
ulations. However,  in  many  cases,  the  Secretary  has  inappropriately  overstepp^ 
the  bounds  established  by  Congress. 

In  addition,  HIAA  believes  the  Secretary  should  proceed  with  great  care  because 
case  law  suggests  that  Congress  may  have  improperly  delegated  its  own  legislative 
power  by  even  authorizing  the  Secretary  to  devise  these  regulations.  Therefore, 
HHS  has  questionable  legal  authority  to  promulgate  such  far-reaching  regulations. 
HIAA  is  concerned  that  these  confidentiality  regulations  do  not  exhibit  such  caution. 

HIAA  submitted  detailed  written  comments  about  the  proposed  regulations  to 
HHS  on  February  14,  2000.  Let  me  point  out  the  key  points  from  our  comments. 

First,  HIAA  believes  the  proposed  confidentiality  regulations  go  beyond  the  statutory 
authority  granted  by  HIPAA  to  the  Secretary  of  HHS.  This  creates  unnecessary 
regulatory  burdens  and  could,  in  the  end,  lead  to  higher  health  care  costs  for 
consumers. 

HIPAA  provided  clear,  strong  administrative  enforcement  penalties  for  breaches 
of  confidentiality.  The  proposed  regulations  go  beyond  that  authority  to  establish  a 
"contract  cause  of  action"  allowing  individuals  to  sue  for  actual  damages  and  equi- 
table relief.  This  "back-dooi*"  approach  to  hability  is  clearly  inconsistent  with  con- 
gressional intent.  It  could  result  in  excessive  litigation — including  class  action  law- 
suits— that  would  further  clog  the  coxuts  and  drive  up  health  care  costs. 

In  addition,  the  proposed  regulations  require  that  health  plans,  providers,  and 
other  entities  monitor  the  activities  of  their  "business  partners"  and  that  they  add 
contract  provisions  assuring  that  these  partners  do  not  violate  the  regulations  and 
hold  health  plans  responsible  for  their  potential  breaches.  This  requirement,  which 
is  not  even  mentioned  in  HIPAA,  would  force  insurers  to  re-negotiate  hundreds  of 
thousand  of  contracts  with  physicians,  hospitals,  accreditation  agencies,  and  other 
entities.  This  would  create  substantial  disruption  for  consumers  and  could  impede 
patient/physician  relationships  or  interrupt  continuity  of  care. 

The  proposed  regulations  also  assume  authority  over  underwriting  practices,  an 
area  that  Congress  carefully  deferred  to  the  states  in  the  access,  portability,  and  re- 
newabihty  provisions  of  HIPAA.  Specifically,  these  regulations  would  have  an  im- 
pact on  two  areas  of  underwriting  that  rely  on  individual  health  information: 
issuing  individual  insurance  and  setting  premiums.  This  directiy  contradicts  Title 
I  of  HIPAA.  Congress  clearly  did  not  want  the  Secretary  of  HHS  influencing  state 
premium  rules  or  other  underwriting  requirements  through  her  confidentiality  regu- 
lations. If  the  regulations  are  allowed  to  override  these  state  laws,  they  coiild  lead 
to  premiimi  increases  for  those  consumers  covered  by  affected  insurance  products. 

The  HHS  Secretary  also  oversteps  her  regulatory  reach  by  including  in  her  pro- 
posed regulations  specific  health  insurance  products  that  were  expressly  excluded 
from  HIPAA,  including  long-term  care  insurance,  limited  benefit  insurance  policies, 
disability  income  insurance,  and  dental  insurance.  If  the  regulations  were  to  become 
final  in  this  form,  they  could  lead  to  increased  costs  and  unnecessary  regulatory 
burdens  for  consumers  covered  by  those  products. 

HIAA  believes  the  final  regulations  should  reflect  that  patient  safety  and  health  care 
quality  are  paramount  objectives. 
To  achieve  this  objective,  the  regulations  should  include  an  expanded  definition 
of  "health  care  operations"  including  certain  key  activities  that  improve  quality  of 
care  for  patients.  As  they  stand,  the  proposed  regulations  appropriately  allow  health 
plans  and  providers  to  share  information  needed  for  necessary  "health  care  oper- 
ations." These  include  critical  management  functions  that  support  patient  treatment 
and  claims  payment.  However,  the  narrow  definition  of  "health  care  operations" 
could  limit  the  ability  of  health  plans  and  insurers  to  conduct  efforts  that  contribute 
to  patient  health  and  safety.  The  allowable  activities  in  the  proposed  regulation  ex- 
cludes certain  administrative  functions  as  well  as  such  essential  services  as  disease 
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management  programs,  programs  to  identify  high-risk  workers,  and  education  tar- 
geting particular  populations. 

In  addition,  the  regulation's  "minimum  necessary"  standard  for  information  shar- 
ing should  not  curtail  patient  safety  activities.  Medical  errors  are  far  too  prevalent 
in  the  health  care  system.  Unfortunately,  the  "minimum  necessary"  standard  in  the 
proposed  regulations  could  make  matters  worse.  The  relations  allow  health  plans 
to  use  or  disclose  only  the  minimum  amount  of  information  "necessary  to  accomplish 
the  intended  purpose  of  the  use  or  disclosure."  This  narrow  standard  would  nave 
a  chilling  effect  on  detecting  and  reporting  errors.  It  would  restrict  the  ability  of 
physicians,  nurses,  nonphvsician  providers,  and  administrators  to  review  and  share 
information.  In  the  end,  this  would  prevent  health  plans  and  insurers  from  quickly 
pinpointing  medical  errors. 

Also,  anti-fraud  activities  should  not  be  hindered  by  open  access  to  information 
used  in  an  investigation.  While  consumers  should  have  ready  access  to  their  own 
health  information,  the  proposed  rules  aUow  patients  and,  potentially,  providers  to 
access  a  broad  range  of  information,  even  data  and  files  that  are  critical  to  an  on- 
going investigation  of  a  questionable  claim.  This  invites  claimants  under  investiga- 
tion to  interfere  with  records,  a  practice  that  would  imdermine  private  sector  efforts 
to  combat  waste,  fraud,  and  abuse. 

Finally,  HIAA  believes  that  the  final  HIPAA  regulations  should  take  into  account 
other  federal  and  state  confidentiality  laws  so  that  consumers  and  insurers  will 
not  be  burdened  with  confusing  or  overlapping  regulations. 
A  growing  number  of  laws  and  regulations,  both  state  and  federal,  address  con- 
fidentiaUtjr.  These  sometimes  conflicting,  sometimes  overlapping,  legal  regimes  can 
result  in  burdensome  processes  for  patients,  providers,  health  plans,  and  insurers. 
By  setting  a  federal  "floor,"  the  Secretai^s  proposed  regulations  are  an  invitation 
to  pass  more  restrictive  laws  in  the  states.  For  example,  a  number  of  states  are  con- 
sidering laws  allowing  patients  to  prohibit  use  or  disclosure  of  information  other 
than  for  the  narrow  purpose  that  it  was  provided.  The  restricted  access  caused  bv 
such  bills  could  hamper  health  plan  and  provider  reporting  requirements  and  qual- 
ity improvement  activities. 

As  more  and  more  states  propose  and  potentially  enact  new  legislation,  the  result- 
ing patchwork  of  laws  and  regulations  could  reduce  quality  and  breed  confusion 

Conflicting  state  laws  also  could  lead  to  significant  confusion  for  consumers.  It  is 
common  for  a  person  to  live  in  one  state,  work  in  another,  receive  hospital  care  in 
a  third,  and  be  covered  by  an  insurer  in  yet  another  state.  What  confidentiahty  pro- 
tections apply  to  this  person?  What  jurisdiction  has  regulatory  oversight?  Clearly, 
a  uniform  national  rule  in  this  area  is  preferable. 

Other  federal  laws  and  legislative  proposals  also  may  pose  compliance  problems 
and  create  confiision.  The  recently  enacted  Gramm-Leach-Bliley  Act  (P.L.  106-102) 
protects  certain  types  of  personal  information.  Its  provisions  may  overlap  with  the 
Secretary's  proposed  confidentiality  regulations.  Gramm-Leach-Bliley's  definition  of 
"nonpublic,  personal  information"  may  include  some  of  the  "protected  health  infor- 
mation" covered  by  the  HHS-proposed  regulations.  Similarly,  Gramm-Leach-Bliley 
and  the  regulations  from  HHS  may  apply  to  some  of  the  same  entities.  Since  HHS 
is  not  among  the  several  agencies  with  jurisdiction  over  Gramm-Leach-Bliley,  clari- 
fication and  coordination  would  be  very  complicated.  Federal  legislative  proposals 
for  electronic  signature  by  their  nature  will  involve  information  collection  and  trans- 
fer, thus  setting  up  the  potential  for  conflicting  regulation  of  information  transfer, 
use,  and  disclosure  by  multiple  federal  and  state  agencies.  Given  the  various  federal 
and  state  agencies  involved  in  financial  services,  health  care  and  electronic  com- 
merce. Congressional  caution  and  thoughtful  planning  are  recommended. 

Further,  the  proposed  confidentiality  regulations  are  closely  related  to  HIPAA's 
security  regulations.  Those  regulations  were  issued  in  1998  but  have  not  vet  been 
issued  in  final  form.  Because  of  the  inextricable  link  between  privacy  of  health  infor- 
mation in  automated  information  systems  and  the  physical  security  of  those  sys- 
tems, the  two  standards  are  extremely  difficult  to  regulate  separately.  For  example, 
the  Secretary's  proposed  security  standards  would  apply  to  certain  aspects  of  health 
care  contracts  between  business  partners.  At  the  same  time,  these  regulations  would 
overlap  with  the  "business  partner  contract"  provisions  of  the  proposed  rules  for  pri- 
vacy of  health  information. 

Once  again,  let  me  thank  you  for  the  opportunity  to  testify  on  this  important 
issue.  In  the  end,  balance  will  be  the  key.  As  you  consider  the  issue  of  confidential- 
ity we  urge  you  to  carefully  consider  both  the  desire  to  assure  confidentiality  and 
\  the  need  for  the  private  health  care  system  to  continue  providing  high-quality  care 
I     to  American  consumers. 

■       The  Chairman.  Ms.  Goldman. 
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Ms.  Goldman.  Good  afternoon,  Mr.  Chairman.  Thank  you  very 
much  for  inviting  us  to  testify  today. 

I  started  the  Health  Privacy  Project  at  Georgetown  University  a 
few  years  ago  to  try  to  fill  a  gap  both  in  public  policy  and  in  public 
understanding  of  an  issue  that  we  believe  directly  affects  the  qual- 
ity of  care  that  people  get  in  this  country  and  their  access  to  care. 

What  we  have  tried  to  do  in  the  Project  is  to  also  fill  gaps  in 
what  we  know  and  what  we  understand  so  that  we  are  not  just 
talking  about  anecdotes,  and  we  are  not  overreacting  to  situations. 

We  have  issued  a  number  of  reports  in  the  last  few  years.  We 
brought  together  a  diverse  working  group  of  stakeholders  from 
health  plans,  provider  groups,  and  disability  rights  groups  to  de- 
velop best  principles  for  health  privacy.  We  did  an  exhaustive 
study  of  State  confidentiality  statutes  in  this  area.  We  have  a 
State-by-State  report  that  is  available  as  well.  We  have  looked  at 
the  privacy  of  health  web  sites,  and  we  convened  a  Consumer  Coa- 
lition for  Health  Privacy  which  is  made  up  of  the  major  disability 
rights  and  consumer  groups  in  this  country. 

Our  mission  again  is  to  look  at  the  impact  of  the  lack  of  privacy 
in  health  care,  and  we  have  participated  in  a  number  of  surveys 
and  studies  that  show  empirically  that  the  lack  of  confidentiality 
is  creating  great  anxiety  in  the  public;  that  people  are  afraid  to 
fully  share  information  with  their  doctors;  they  leave  out  informa- 
tion, or  they  lie,  or  they  go  from  doctor  to  doctor  as  a  way  of  trying 
to  keep  their  information  separate;  or,  in  the  worst  case  scenario, 
they  avoid  care  altogether.  They  are  concerned  both  about  the  de- 
velopment of  electronic  record  systems  and  the  rise  of  managed 
care  that  is  consolidating  information.  And  we  are  seeing  again  es- 
calated media  coverage  about  privacy  abuses. 

The  comment  was  made  earlier  about  discrimination,  and  I  think 
it  is  really  important  to  recognize  in  this  area  that  once  we  have 
privacy  protections  in  place,  we  will  provide  a  first  line  of  defense 
against  discrimination;  that  employers  who  do  not  have  any  reason 
to  see  medical  information  will  not  be  able  to  even  get  it,  and 
therefore  you  will  not  have  to  worry  about  discrimination  in  as 
many  areas  as  you  worry  about  now. 

We  know  that  lack  of  privacy  is  the  number  one  barrier  to  people 
getting  genetic  testing  and  counseling,  and  that  it  also  affects 
whether  they  participate  in  research.  So  we  also  see  that  it  affects 
the  quality  of  care  individuals  get,  because  you  cannot  accurately 
diagnose  and  treat  people  if  they  are  not  fully  sharing  information 
with  their  doctors,  but  then  downstream,  that  information  that  is 
used  for  research  and  public  health  will  also  be  compromised  and 
will  also  be  unreliable. 

Congress  did  recognize  this  as  an  important  issue,  and  in  HIPAA 
in  1996,  you  imposed  a  deadline  on  yourselves  to  enact  comprehen- 
sive legislation.  This  committee  held  a  number  of  hearings  and  in- 
troduced bills — other  committees  in  Congress  did  as  well.  I  think 
it  is  not  for  lack  of  effort  that  Congress  did  not  act.  I  think  the 
issue  is  complicated,  and  we  just  had  a  lot  of  trouble  reaching  com- 
mon ground  in  a  way  that  allowed  us  to  move  forward. 

The  Secretary  did  live  up  to  her  obligation  to  release  proposed 
rules.  In  the  comment  period  that  was  allowed  after  the  proposed 
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rules  were  released,  about  52,000  comments  were  received;  over 
half  of  those  comments  came  from  the  consumer,  disability  rights, 
and  patient  advocacy  groups,  and  they  were  very  strong  in  saying 
not  only  that  this  regulation  was  narrow,  and  probably  too  narrow 
to  really  satisfy  health  privacy  concerns  generally,  but  that  it 
should  be  strengthened  as  well,  and  my  testimony  will  address 
those  issues. 

I  was  very  pleased  to  see  in  GAO*s  statement  today  that  they  be- 
lieve the  Secretary  was  within  her  authority,  her  legislatively  dele- 
gated authority,  in  the  proposal  that  she  annoimced. 

I  want  to  say  in  response  to  an  earlier  comment  also  that  the 
proposed  regulation  is  a  vital,  even  if  it  is  an  intermediary  step, 
that  it  should  go  forward,  it  should  be  finalized.  The  absence  of  any 
Federal  law  in  this  area  I  think  has  really  created  havoc  both  in 
the  States  and  in  the  general  public. 

I  want  to  focus  on  two  areas  in  terms  of  the  proposed  rule.  One 
is  that  due  to  the  legal  constraints  imposed  on  the  Secretary  under 
HIPAA,  the  scope  of  the  proposal  is,  I  think,  very  narrow,  and 
there  are  some  awkward  constructions  such  as  the  business  part- 
ners arrangement,  which  are  there  as  a  necessity  to  try  to  make 
this  a  workable  proposal. 

The  second  thing  is  that  there  are  some  weaknesses  in  the  pro- 
posal. Let  us  look  first  at  the  major  gaps  in  her  proposal.  It  will 
explicitly  cover,  at  least  in  the  proposal,  electronic  records  and  not 
paper.  I  think  you  have  heard  uniformly  today  that  that  is  a  dis- 
tinction that  is  absurd;  it  is  imworkable.  I  thiiik  the  GAO  did  say 
that  she  does  have  the  authority  to  cover  paper  records  as  well, 
and  I  think  she  should.  I  think  it  would  be  very  tragic  if  this  were 
a  disincentive  to  creating  electronic  records  because  people  thought 
they  could  evade  the  scope  of  the  regulation  if  they  kept  informa- 
tion in  paper  form. 

The  second  gap  is  that  the  Secretary  can  only  regulate  three  en- 
tities directly — ^the  plans,  the  providers,  and  the  health  clearing- 
houses. Again,  this  is  a  constraint  from  HIPAA,  and  the  business 
partner  arrangement  is  there  because  without  that,  the  Secretary 
could  have  said  to  those  three  covered  entities:  You  may  not  dis- 
close information  at  all  outside  of  the  covered  entities.  She  could 
say  to  providers  and  plans:  You  collect  the  information,  and  this  is 
how  you  can  use  it  internally,  and  you  may  not  disclose.  But  I 
think  she  realized  that  that  is  not  workable  in  toda/s  health  care 
environment  and  so  needed  to  allow  the  information  to  be  disclosed 
but  with  some  limitations  and  with  some  requirements. 

The  third  major  gap,  I  think,  is  the  remedies  section.  It  is  nar- 
row, it  is  stingy.  Even  if  there  is  in  the  business  contract  require- 
ment something  that  says  individuals  shall  be  third-party  bene- 
ficiaries, I  think  that  is  not  an  explicit  private  right  of  action.  It 
is  certainly  not  a  Federal  private  right  of  action,  and  I  think  people 
will  have  a  very  difficult  time  if  their  rights  are  violated  bringing 
an  action  in  court.  So  we  have  very  weak  enforcement  of  this  rule. 

I  would  say  certainly  the  second  two  gaps,  the  scope  of  coverage 
and  the  remedies,  will  need  congressional  action.  There  is  still  a 
very  significant  role  for  Congress  to  play  here. 

Let  me  run  through  the  major  provisions  of  the  proposal  very 
quickly.  Overall,  it  does  create  an  incentive  to  de-identify  informa- 
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tion — not  a  requirement,  but  an  incentive,  because  then  you  are 
outside  the  scope  of  the  regulations.  It  requires  that  people  be 
given  notice  about  how  their  information  will  be  used,  which  is  the 
only  way  they  can  make  informed  choices.  It  gives  them  a  right  to 
see  and  copy  their  own  medical  information,  which  is  not  guaran- 
teed now  in  most  of  the  States.  And  it  requires  authorization  from 
patients  in  many  instances.  We  believe  that  you  should  have  to  get 
authorization  even  for  treatment,  payment,  and  health  care  oper- 
ations, recognizing  that  this  might  not  be  a  meaningful  authoriza- 
tion, but  just  signing  on  that  line,  which  people  do  now — ^that  is  the 
status  quo,  that  people  sign  these  waivers — that  they  should  have 
to  sign  something  that  says  I  read  the  notice,  I  signed  it,  I  under- 
stand how  my  inSformation  is  going  to  be  used.  Again,  it  is  not  a 
bar  to  using  the  information;  it  is  a  procedural  protection. 

In  research,  the  Secretary  says  that  regardless  of  the  source  of 
funding,  privately  funded  or  publicly  funded  research  should  be 
protected  and  should  follow  the  same  rules.  I  think  that  many  in 
the  research  community  agree  with  that,  that  that  is  the  gold 
standard  that  is  followed  now  by  the  major  researchers  in  this 
country. 

On  law  enforcement,  I  think  her  proposal  was  very  disappointing 
and  did  not  really  make  much  progress  from  the  1997  rec- 
ommendations, which  drew  fire  in  this  committee  and  in  the  public 
as  well.  We  think  it  should  be  strengthened,  and  there  should  be 
a  warrant  requirement  or  some  kind  of  legal  process  requirement. 

On  preemption,  I  want  to  say  very  quickly  that  I  think  there  has 
been  a  lot  of  overreaction  today  on  the  preemption  issue.  Our  State 
report  shows  that  there  are  no  comprehensive,  strong  laws  at  the 
State  level.  So  right  now,  health  care  industries  and  health  care  or- 
ganizations have  to  comply  with  those  50  different  laws  that  are 
all  over  the  books,  that  are  widely  divergent,  that  are  for  the  most 
part  not  comprehensive  but  are  very,  very  different  laws.  So  any 
floor  that  Congress  sets  or  that  the  administration  sets  will  raise 
that  bar  and  create  substantial  uniformity.  And  as  Senator  Murray 
said,  there  are  State  laws  that  are  very  specific  on  mental  health, 
on  communicable  disease,  adoption,  custody,  neglect — I  could  go  on 
and  on — and  those  are  areas  where  the  Federal  Grovemment  has 
not  even  begun  to  regulate.  If  we  were  to  preempt  those  laws,  I 
think  we  would  do  serious  damage.  But  again,  any  floor  will  be 
cost-effective  and  will  create  substantial  uniformity. 

Congress  has  set  the  wheels  in  motion  for  this  regulatory  process 
that  is  before  us  today,  and  while  this  has  been  a  tough  issue  with 
differing  interests,  I  think  the  Secretary  has  fulfilled  her  duty 
under  HIPAA  and  has  taken  us  part  of  the  way.  The  rules  should 
be  finalized,  and  we  appeal  to  Congress  to  finish  the  job,  to  fill 
those  gaps,  to  strengthen  the  weak  sections  in  the  proposal,  and  to 
create  a  uniform  and  comprehensive  Federal  rule  on  medical  pri- 
vacy. 

Thank  you  very  much. 
The  Chairman.  Thank  you. 

[The  prepared  statement  of  Ms.  Goldman  follows:] 
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Prepared  Statement  of  Janlori  Goldman 
i.  introduction  and  overview 

Mr.  Chairman  and  Members  of  the  Senate  Committee  on  Health,  Education, 
Labor  and  Pensions:  I  very  much  appreciate  the  invitation  to  testify  before  you 
today  on  the  privacy  of  medical  reconJs,  and  the  Administration's  proposed  regula- 
tions regarding  the  privacy  of  individually  identifiable  health  information. 

In  December  1997,  I  launched  the  Health  Privacy  Project  at  the  Institute  for 
Health  Care  Research  and  Policy  and  Georgetown  University  Medical  Center.  The 
Project  is  dedicated  to  raising  public  awareness  of  the  importance  of  ensuring  health 
privacy  in  order  to  improve  health  care  access  and  quality,  both  on  an  individual 
and  a  commxinity  level.  In  addition,  the  Project  coordinates  the  Consumer  Coalition 
for  Health  Privacy,  which  is  comprised  of  broad  cross-section  of  consumer  and  dis- 
abihty  rights  groups  committed  to  educating  and  empowering  healthcare  consumers 
to  have  a  more  prominent  voice  on  health  privacy  issues  at  the  federal,  state,  and 
local  levels. 

Congress  recogni2ed  the  importance  of  protecting  health  privacy  when  it  passed 
the  Health  Information  Portabihty  and  Accountabifity  Act  of  1996.  HIPAA  requires 
that  if  Congress  failed  to  pass  comprehensive  health  privacy  legislation  by  August 
21,  1999,  the  Secretary  of  Health  and  Human  Services  must  issue  regulations  by 
February  21,  2000. 

Congress  did  in  fact  fail  to  meet  the  August  deadline.  Consistent  with  its  legal 
duty  under  HIPAA,  the  Administration  did  issue  draft  health  privacy  regulations 
November  2,  1999.  The  comment  period  was  extended  to  February  17,  2000.  Over 
50,000  comments  were  received,  and  at  least  half  of  those  comments  came  fi*om  the 
consumer  and  disability  rights  advocates.  We  expect  the  regulations  to  be  finalized 
by  late  summer. 

The  proposed  federal  health  privacy  regulations  constitute  a  significant  step  to- 
wards restoring  the  public  trust  and  confidence  in  our  nation's  health  care.  TTiese 
rules,  however,  are  by  no  means  the  final  solution.  By  virtue  of  the  limited  authority 
delegated  by  Congress,  the  proposed  rules  have  limited  applicability  and  cover  only 
health  plans,  health  care  clearinghouses  and  health  care  providers  who  transmit 
health  information  ("covered  entities")  in  electronic  form.  We  appreciate  the  fact 
that  the  Secretary  has  made  a  strong  effort  to  extend  this  coverage  to  a  covered  en- 
tity's business  partners.  But  a  large  segment  of  those  who  hold  health  information 
remains  beyond  the  scope  of  these  regulations. 

Our  testimony  today  fooises  on  two  areas:  1)  the  limitations  of  the  Secretary's  au- 
thority and  the  role  Congress  should  play  to  strengthen  the  final  rule  and  fill  re- 
maining gaps  in  protection,  and  2)  the  strengths  and  weaknesses  of  the  proposed 
regulation. 

II.  PUBUC  NEED  AND  DEMAND  FOR  HEALTH  PRIVACY 

A  substantial  barrier  to  improving  the  quality  of  care  and  access  to  care  in  this 
country  has  been  the  absence  of  enforceable  privacy  rules.  People  are  withdrawing 
fi*om  fill  participation  in  their  own  health  care  because  they  are  afi*aid  their  health 
records  will  fall  into  the  wrong  hands,  and  lead  to  discrimination,  loss  of  benefits, 
stigma,  and  unwanted  exposure.  A  January  1999  s\irvey  by  the  California  Health 
Care  Foundation  found  that  one  out  of  every  six  people  engages  in  some  form  of 
privacy-protective  behavior  to  shield  themselves  from  the  misuse  of  their  health  in- 
formation, including  lying  to  their  doctors,  providing  inaccurate  information,  doctor- 
hopping  to  avoid  a  consolidated  medical  record,  paying  out  of  pocket  for  care  that 
is  covered  by  insurance,  and — ^in  the  worst  cases — avoiding  care  altogether.  (Survey 
released  by  the  California  HealthCare  Foundation,  January  1999) 

Without  trust  that  the  personal,  sensitive  information  they  share  with  their  doc- 
tors will  be  handled  with  some  degree  of  confidentiality,  people  will  not  fiilly  partici- 
pate in  their  own  health  care.  As  a  result,  they  risk  inadequate  care  or  imdetected 
and  untreated  health  conditions.  In  turn,  the  integrity  of  research  and  public  health 
initiatives  that  rely  on  complete  and  accurate  patient  data  may  also  be  com- 
promised. Thus,  protecting  privacy  and  promoting  health  care  quahty  and  access  are 
values  that  must  go  hand-in-hand. 

ni.  THE  ROLE  CONGRESS  SHOULD  PLAY 

The  Secretary's  authority  to  promulgate  health  privacy  regulations  is  delegated  to 
her  in  the  Health  Insurance  Portabihty  and  Accountability  Act.  Due  to  the  con- 
straints imposed  on  her  authority  by  HIPAA,  the  practical  impact  is  that  the  draft 
regulation  falls  short  in  terms  of  scope  of  coverage  and  enforcement.  Congress 
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should  act  swiftlv  to  fill  these  gaps  to  ensure  that  Americans  have  strong  and  com- 
prehensive health  privacy  protections. 

A  Who  is  Covered:  Scope  Should  be  Expanded 

The  draft  rules  issued  by  HHS  only  apply  to  certain  entities:  health  care  provid- 
ers, health  plans,  and  clearinghouses  (entities  that  process  and  transmit  claims 
data).  We  recognize  that  the  scope  of  entities  covered  by  the  regulations  is  limited 
by  the  terms  of  HIPAA,  and  that  the  Secretary  has  attempted  to  cover  as  many  en- 
tities as  possible  given  her  limited  delegated  authority.  By  limiting  the  regulations 
to  health  plans,  health  care  clearinghouses,  and  certain  health  care  providers,  how- 
ever. Congress  has  left  a  large  number  of  entities  unregulated,  leaving  gaps  in  the 
protection  afforded  health  information.  Many  providers,  researchers,  and  oversight 
agencies,  for  example,  will  not  be  subject  to  mis  regulation  even  though  they  collect, 
use,  and  disclose  protected  health  information  that  identifies  individuals. 

The  Secretary  nas  chosen  to  bind  some  non-covered  entities  to  the  principles  of 
the  draft  regulation  by  requiring  covered  entities  to  establish  contracts  with  busi- 
ness partners,  or  by  prohibiting  disclosures.  This  is  a  good  intermediary  step  to  ful- 
fill the  intention  of  the  privacy  language  of  HIPAA.  However,  this  approach  nas  sig- 
nificant limits,  including  the  liability  borne  by  covered  entities,  and  the  difficulty 
in  prohibiting  re-disclosure  by  non-covered  entities. 

The  only  way  to  eliminate  these  gaps  is  for  Congress  to  enact  a  comprehensive 
health  privacy  law.  We  therefore  strongly  urge  Congress  to  pass  a  comprehensive 
health  privacy  law  applicable  to  all  those  who  generate,  maintain,  or  receive  pro- 
tected healtii  information. 

B.  What  is  Covered:  Paper  Records  Should  be  Protected 

The  draft  regiilations  only  apply  to  electronic  health  information,  but  the  vast  ma- 
jority of  health  information  is  currently  maintained  in  paper  form.  We  believe  that 
the  Secretary  has  the  authority  to  extend  the  regulations  that  apply  to  all  health 
information — whether  it  is  maintained  in  paper  or  electronic  format — and  we  rec- 
ommend that  she  does  so. 

In  the  event  that  the  final  regulations  do  not  cover  paper  records,  we  believe  that 
it  is  appropriate  and  necessary  for  Congress  to  extend  the  protections  to  cover  all 
records  maintained  or  transmitted  by  covered  entities. 

The  vast  majority  of  health  information  is  currentiv  maintained  in  paper  form. 
As  proposed,  the  regulations  distinguish  between  health  information  that  at  some 
point  has  been  electronically  maintained  or  transmitted  and  that  which  has  not. 
This  distinction  is  nonsensical,  unworkable  and  imenforceable.  At  some  point,  some, 
but  not  all,  of  the  information  in  the  record  mav  be  transmitted  electronically. 
Under  the  current  proposal,  the  paper  record  would  then  contain  both  protected  in- 
formation (i.e.,  information  that  has  been  electronically  transmitted),  and  unpro- 
tected information  (information  which  has  not  been  so  transmitted).  It  would  be  bur- 
densome and  difficult  to  identify  and  designate  which  information  in  any  particular 
record  is  protected. 

It  would  be  easier  for  a  covered  entitv  to  treat  all  information  it  maintains  or 
transmits  in  the  same  fashion.  Additionally,  for  enforcement  purposes,  it  may  prove 
difficult,  if  not  impossible,  to  estabUsh  that  specific  health  information  at  some  point 
in  its  existence  has  been  transmitted  or  maintained  electronically  and,  therefore,  is 
subject  to  the  regulations.  The  best  way  to  reduce  these  implementation  and  en- 
forcement ambiguities  is  to  make  the  privacy  standards  applicable  to  all  individ- 
ually identifiable  health  information  transmitted  or  maintained  by  a  covered  entity 
regardless  of  its  form. 

Finally,  the  administrative  simplification  provisions  of  HIPAA  appear  to  encour- 
age the  development  of  a  uniform  computer-based  health  information  system.  This 
goal  is  impeded  by  allowing  paper  records  to  remain  beyond  the  scope  of  the  regula- 
tions. There  is  littie  incentive  for  covered  entities  to  convert  to  computer-based 
health  information  systems  if  they  may  avoid  regulation  by  maintaining  paper- 
based  systems. 

C.  Enforcement:  Private  Right  of  Action  Needed 

Under  HIPAA,  the  Secretary  is  unable  to  confer  on  individuals  a  private  right  of 
action  in  the  event  the  rules  are  violated.  When  finalized,  the  regulation  will  be  dif- 
ficult for  HHS  to  oversee  and  enforce,  and  no  federal  remedy  will  be  available  to 
individuals.  Only  Congress  can  fill  these  significant  gaps. 

In  every  other  federal  law  that  protects  the  privacy  of  peoples*  records— fi-om  the 
Right  to  Financial  Privacy  Act  to  the  Video  Privacy  Protection  Act— Congress  has 
seen  fit  to  give  people  the  legal  right  to  go  to  court  to  seek  injunctive  reUef  and  dam- 
ages when  the  law  has  been  violated.  The  remedies  available  under  tiie  proposed 
regulation  are  inadequate  to  ensure  that  the  law  will  be  fully,  and  forcefully,  en- 
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forced.  In  the  absence  of  a  set  of  meaningful  remedies,  a  real  danger  exists  that 
compliance  will  be  weak  and  spotty.  While  we  understand  the  recent  concern  over 
lawsmts,  we  are  unaware  of  significant  problems  that  have  resulted  from  the  rem- 
edies now  available  to  people  under  existing  federal  privacy  statutes. 

IV.  STRENGTHS  AND  WEAKNESSES  OF  THE  PROPOSED  REGULATION 

The  following  is  a  summary  of  the  major  provisions  of  the  proposed  regulation, 
with  our  comments.  The  Health  Privacy  Project  also  staffs  the  Cons-umer  CoaHtion 
for  Health  Privacy,  whose  mission  is  to  educate  and  empower  healthcare  consumers 
to  have  a  prominent  and  informed  voice  on  health  privacy  issues  at  the  federal, 
state,  and  local  levels.  (A  copy  of  the  principles.  Steering  Committee,  and  endorsing 
organizations  is  attached.  Information  is  also  available  at  htt^J/ 
www.healthprivacy.org.)  Members  of  the  coalition  are  committed  to  the  development 
and  enactment  of  pubhc  policies  and  private  standards  that  guarantee  the  confiden- 
tiality of  personal  health  information  and  promote  both  access  to  high  quaHty  care 
and  ^e  continued  viability  of  medical  research.  Funding  for  the  Consumer  Coalition 
is  provided  solely  by  the  Open  Society  Institute.  Many  members  of  the  Coalition 
submitted  their  own  comments  on  the  draft  regulation.  Others  have  endorsed  the 
comments  submitted  by  the  Health  Privacy  Project  and  are  reflected  in  the  com- 
ments themselves. 

The  full  text  of  our  comments,  with  the  names  of  endorsing  organizations,  is  at- 
tached. (The  comments  are  also  available  at  http://www.healthprivacy.org.) 

A  Who  is  Covered 

Again,  by  statute,  the  Secretary  can  directly  regulate  only  health  care  providers, 
health  plans  and  health  care  clearinghouses,  all  of  which  are  defined  as  "covered 
entities."  We  behe^^e  that  the  most  effective  way  to  extend  the  scope  of  coverage  is 
through  a  comprehensive  health  privacy  law  that  covers  all  entities  that  use  and 
disclose  individually  identifiable  health  information. 

In  the  draft  regulation,  the  Secretary  attempts  to  address  this  statutory  weakness 
by  requiring  covered  entities  to  have  contracts  restricting  uses  and  disclosures  with 
their  "business  partners,"  i.e.,  certain  persons  and  organizations  to  whom  they  dis- 
close protected  health  information.  We  commend  the  Secretary  on  her  efforts  to  en- 
compass as  broad  a  field  as  possible  under  the  proposed  regulations.  In  our  complete 
comments,  we  suggest  ways  in  which  the  contracts  between  business  partners  might 
be  improved. 

The  Secretary  also  attempts  to  address  the  circumstance  under  which  an  organi- 
zation provides  some  health  care  or  has  created  a  health  plan,  but  is  not  primarily 
engaged  in  these  activities  (such  as  a  school  that  has  an  infirmary).  Although  the 
Secretary  discusses  treating  only  the  health  care  component  as  a  "covered  entity", 
the  regulations  do  not  expressly  carry  out  this  intent.  We  suggest  that  this  intent 
to  designate  only  the  health  care  component  of  a  mixed  entity  as  a  "covered  entity" 
be  incorporated  in  the  regulations.  Additionally,  the  Secretary's  explanation  con- 
cerning employers  and  how  they  fit  into  the  regulatory  scheme  is  somewhat  confus- 
ing. We  sukgest  that  the  Secretary  clarify  the  responsibihties  of  employers  that 
sponsor  health  plans. 

B.  What  is  Covered 

Again,  the  draft  regulation  currently  only  appHes  to  health  information  main- 
tained and  transmitted  in  electronic  form.  We  beUeve  that  the  Secretary  currently 
has  the  authority  to  promulgate  regulations  that  apply  to  all  health  information — 
whether  it  is  maintained  in  electronic  or  paper  format — used  and  disclosed  by  cov- 
ered entities. 

C.  Patients'  Access  to  their  Own  Health  Records 

The  draft  regulations  give  people  the  right  to  see  and  copy  their  own  health  infor- 
mation, and  to  request  that  it  be  correct^  or  amended.  We  commend  this  effort  to 
extend  these  fair  information  practices  to  health  information. 

We  believe,  however,  that  the  Secretary  has  used  a  somewhat  minimahst  ap- 
proach towards  these  rights.  In  our  comments,  we  suggest  a  number  of  ways  in 
which  the  right  of  access  can  be  made  more  meaningful.  Our  major  suggestions  in- 
clude: 

The  decision  to  deny  an  individual's  request  for  access  to  his  health  information 
should  ultimately  be  made  by  a  health  care  provider  who  is  qualified  to  treat  the 
patient  for  the  condition  that  is  the  subject  of  the  health  information; 

There  should  be  a  meaningful  appeals  process  for  denials  of  access  to  health  infor- 
mation; and 
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The  regulations  should  expressly  state  that  a  covered  provider  may  not  deny  an 
individual  access  to  his  protected  health  information  because  of  an  impaid  bill  for 
health  care  services. 

D.  Notice  of  Information  Practices 

The  regulations  give  individuals  the  right  to  receive  adequate  notice  of  the  infor- 
mation practices  of  covered  plans  and  providers.  We  approve  of  this  approach.  We 
are  also  pleased  that  the  regulation  requires  the  notice  to  address  the  entity's  exist- 
ing information  practices,  rather  than  possible  information  practices,  and  suggest 
that  this  component  of  the  regulation  be  preserved.  We  recommend  changes  that 
strengthen  the  notice  provisions,  including  a  requirement  that  covered  entities  make 
a  reasonable  effort  to  obtain  a  signed  acknowledgment  that  the  individual  has  re- 
ceived and  read  the  notice  of  information  practices. 

E.  Patient  Authorization 

The  proposed  rules  would  allow  health  information  to  be  used  and  shared  easily 
for  treatment,  payment  and  health  care  operations,  without  the  consent  of  the  pa- 
tient. While  we  understand  the  need  to  strike  a  balance  between  individuals'  pri- 
vacy rights  and  the  practical  necessity  of  using  and  disclosing  health  information 
for  certain  purposes,  we  beheve  that  the  proposed  regulations  give  too  little  weight 
to  individual  rights.  Under  the  proposed  rules,  people  have  no  ability  to  control  or 
even  monitor  the  use  and  disclosure  of  protected  health  information  for  purposes  of 
treatment,  payment  and  health  care  operations.  We  find  this  particularly  disturbing 
given  the  Secretary's  proposed  construction  that  "treatment"  includes  the  treatment 
of  all  individuals,  not  just  the  individual  subject  of  the  information. 

The  regulations  should  require  authorization  from  the  individual  for  the  use  and 
disclosure  of  information  for  treatment,  payment  and  health  care  operations,  which 
should  be  renewed  at  least  once  every  three  years  or  whenever  the  patient  changes 
insurance  companies,  whichever  occurs  first.  At  an  absolute  minimum,  covered  enti- 
ties should  have  the  option  to  require  patient  authorization  for  treatment,  payment 
and  health  care  operations. 

The  terms  "treatment"  and  "payment"  should  be  narrowly  interpreted  as  applying 
to  the  individual  who  is  the  subject  of  the  information. 

The  definition  of  "treatment"  should  be  amended  to  ensure  that  disease  manage- 
ment programs  are  only  conducted  with  the  authorization  of  the  treating  physician. 

The  regulation  should  expressly  state  that  the  term  "health  care  operations"  in- 
cludes only  disclosures  made  to  the  covered  entity  (or  a  business  partner  of  such 
entity)  on  whose  behalf  the  operation  is  being  performed. 

The  regulations  should  limit  the  definition  of  health  care  operations  to  include 
only  those  operations  that  cannot  be  carried  on  with  reasonable  effectiveness  and 
efficiency  without  protected  health  information. 

Health  care  providers  should  be  subject  to  the  verification  requirements  of  the 
regulations  when  the  request  for  information  for  treatment  purposes  originates  out- 
side of  the  covered  entity. 

We  support  the  regulations'  requirement  that  covered  entities  obtain  an  author- 
ization fi*om  the  individual  for  most  uses  and  disclosures  that  are  not  directly  relat- 
ed to  treatment,  payment  or  health  care  operations.  We  also  strongly  agree  that  con- 
sent must  be  voluntary,  and  cannot  be  tied  to  the  delivery  of  any  benefits  or  serv- 
ices. In  addition  to  these  requirements,  we  recommend  that  covered  entities  be  re- 
quired to  obtain  individual  authorization  prior  to  making  certain  disclosures  of  in- 
formation pertaining  to  an  individual's  request  or  receipt  of  sensitive  health  serv- 
ices. 

F.  Minimum  Necessary 

The  proposed  regulation  requires  organizations  to  "make  all  reasonable  efforts  not 
to  use  or  disclose  more  than  the  minimvun  amount  of  protected  health  information 
necessary  to  accompUsh  the  intended  piupose  of  the  use  or  disclosure."  We  believe 
that  this  is  the  proper  approach  but  that  it  does  not  go  far  enough  because  it  does 
not  apply  to  a  large  number  of  uses  and  disclosures.  We  urge  the  Secretary  to  ex- 
tend this  minimization  requirement  to  most  uses  and  disclosures. 

G.  Patient's  Right  to  Restrict  Disclosures 

The  proposed  regulations  give  an  individual  the  right  to  request  restrictions  on 
the  use  and  disclosure  of  protected  health  information  for  purposes  of  treatment, 
payment,  and  health  care  operations.  That  request  can  only  be  made  to  a  health 
care  provider,  and  it  must  be  agreed  to  by  that  provider.  We  suggest  that  the  regu- 
lations be  amended  in  the  following  ways: 
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Allow  individuals  to  have  a  true  right  to  restrict  (not  just  the  right  to  request  re- 
strictions on)  the  use  and  disclosiire  of  their  protected  health  information  where  the 
disclosure  of  that  information  could  jeopardize  the  safety  of  the  individual. 

Allow  individuals  who  pay  for  their  own  medical  care  (self-pay)  to  have  a  true 
right  to  restrict  the  disclosure  of  their  protected  health  information. 

Allow  individuals  to  require  or  request  restrictions  from  all  covered  entities,  not 
just  health  care  providers. 

Require  all  covered  entities  that  receive  health  care  information  that  are  subject 
to  a  restriction  to  comply  with  the  restriction. 

H.  Psychotherapy  Notes 

We  strongly  commend  the  Secretary  for  excepting  psychotherapy  notes  from  the 
general  rule  allowing  for  the  free  flow  of  information  for  treatment,  payment  and 
health  care  operations  purposes.  The  proposed  regulations  limit  access  to  psycho- 
therapy notes,  absent  specific  consent  from  the  individual.  We  believe,  however,  ad- 
ditional protections  are  critical  for  ensxuing  the  level  of  privacy  essential  for  effec- 
tive mental  health  care. 

/.  Law  Enforcement 

While  we  acknowledge  the  positive  shift  in  the  Secretary's  approach  from  her 
1997  position  that  law  enforcement  should  continue  to  have  imfettered  access  to 
medical  records,  this  current  proposal  continues  to  fall  far  short  of  meaningful 
standards.  We  urge  that  the  final  regulation:  Require  that  law  enforcement  officials 
obtain  legal  process  issued  by  a  neutral  magistrate,  and  Require  that  legal  process 
issue  only  after  the  magistrate  has  applied  a  strong  legal  standard  in  weighing  the 
request. 

J.  Health  Oversight 

We  believe  it  is  critical  for  the  Secretary  to  clearly  distinguish  between  law  en- 
forcement access  and  access  to  conduct  health  oversight  activities. 

We  are  also  deeply  concerned  that  the  health  oversight  section  contains  too  few 
limits  on  access  and  reuse  of  protected  health  information.  In  particular,  we  believe 
that  where  health  information  is  used  in  a  health  oversight  investigation,  there 
should  be  a  prohibition  on  the  re-use  and  re-disclosure  of  protected  health  informa- 
tion in  actions  against  individuals.  Such  a  limit  is  essential  to  ensure  that  the  rel- 
atively easy  access  afforded  to  health  oversight  officials  does  not  become  the  back- 
door for  law  enforcement  access. 

While  this  prohibition  may  be  beyond  the  Secretary's  authority  in  this  regulation, 
we  do  believe  that  the  Executive  Branch  is  empowered  to  issue  an  Executive  Order 
barring  the  re-use  and  re-disclosure  of  protected  health  information  obtained  pursu- 
ant to  oversight.  Such  an  order  would  establish  legally  enforceable  limits  directly 
on  the  feder^  employees  charged  with  executing  healtii  oversight  responsibihties. 

K  Research 

We  support  the  general  approach  towards  research  in  the  regulations.  We  are 
pleased  that  the  regulation  aims  to  establish  uniform  rules  for  researchers  regard- 
less of  the  source  of  funding.  The  regulation  seeks  to  accompUsh  this  goal,  however, 
by  allowing  covered  entities  to  disclose  protected  health  information  to  researchers 
without  patient  authorization  if  the  disclosure  has  been  approved  by  an  Institu- 
tional Review  Board  (IRB),  or  a  newly  created  privacy  board.  We  believe  that  the 
Secretary  should  eliminate  the  option  of  using  a  privacy  board. 

If  the  regulation  does  not  bring  all  research  under  the  Common  Rule,  the  pro- 
posed regulation  should  be  revised  to  ensure  that  there  are  similar  standards  and 
equal  oversight  and  accountability  for  both  IRBs  and  privacy  boards. 

L.  Enforcement 

We  recognize  that  the  Secretary  is  limited  in  addressing  enforcement  mechanisms 
by  the  delegation  of  authority  in  HIPAA.  Thus,  it  is  critical  that  the  Congress  act 
to  grant  people  a  private  right  of  action  to  enforce  their  rights  under  this  regulation. 

Af.  Preemption 

We  strongly  support  the  approach  in  HIPAA  and  the  proposed  regulations  that 
the  federal  privacy  regulations  will  act  as  a  floor,  but  not  a  ceiling,  on  privacy  pro- 
tections afforded  by  the  States.  Under  this  approach,  weaker  State  health  privacy 
laws  are  preempted  (or  overridden)  while  State  laws  that  offer  more  protection  than 
the  federal  regulations  will  remain.  Furthermore,  this  approach  allows  a  State,  in 
the  future,  to  enact  stronger  privacy  protections  to  meet  the  changing  needs  of  its 
citizens. 
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We  believe  that  the  regulations  should  provide  definitions  of  the  terminology  used 
in  the  preemption  provisions  for  general  purposes,  not  just  for  use  in  the  Secretary's 
advisory  opinions.  We  also  believe  that  the  regulation  should  treat  state  laws  per- 
taining to  disclosures  about  minors  the  same  as  other  state  laws  generally,  preempt- 
ing state  laws  that  are  contrary  to  the  proposed  rule  and  less  protective  of  the  pri- 
vacy of  minors.  Lastly,  we  are  very  concerned  about  the  breadth  of  the  provision 
under  which  a  State  may  request  a  waiver  that  would  allow  a  weaker  State  health 
privacy  law  to  stand,  essentially  making  the  analogous  federal  regulation  inapplica- 
ble in  that  State. 

V.  CONCLUSION 

On  balance,  we  believe  that  the  proposed  health  privacy  regulations  are  a  signifi- 
cant and  vitally  important  step  towards  guaranteeing  the  American  public  a  greater 
degree  of  privacy  protection  for  their  medical  records.  When  finalized,  the  regulation 
win  be  the  first  comprehensive  federal  rules  on  health  privacv,  establishing  a  mini- 
mum set  of  standards  by  which  health  care  providers,  health  plans,  and  others, 
must  comply.  As  such,  the  regulations  will  not  only  foster  greater  public  trust  and 
confidence  in  our  nation's  health  care  system,  but  they  will  also  bring  much-needed 
uniformity  and  predictabilitv  to  the  privacy  rules  that  must  be  adhered  to  across 
the  coimtiy.  Most  importantly,  the  regulation  will  establish  greater  uniformity  while 
leaving  states  the  flexibility  to  act  on  behalf  of  their  residents  and  augment  uie  reg- 
ulation as  needed. 

We  do  believe  that  it  is  crucial  for  Congress  to  act  to  fill  the  gaps  in  the  proposed 
rule:  the  regulation  should  be  extended  to  cover  all  medical  information,  whether 
paper  or  electronic  form;  the  regulation  should  cover  all  of  those  who  generate, 
maintain  or  receive  protected  health  information;  and  the  regulation  should  include 
a  private  right  of  action. 
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GENERAL  COMMENTS 

Medical  information  is  some  of  the  most  sensitive  information  concerning  a  person's  life. 
In  spite  of  the  sensitive  nature  of  this  information,  health  consumers  have  had  a  minimal  amount 
of  knowledge  or  control  over  this  information.  People  do  not  know  what  information  is  in  their 
medical  records,  who  has  access  to  this  information  or  how  their  health  information  is  being 
used.  Additionally,  people  have  little  control  over  the  disclosure  and  use  of  this  information. 
Faced  with  potential  discrimination,  loss  of  benefits,  and  stigma  if  their  health  information  falls 
into  the  wrong  hands,  people  are  withdrawing  from  ftill  participation  in  their  own  health  care. 

The  proposed  federal  health  privacy  regulations  constitute  a  significant  step  towards 
restoring  the  public  trust  and  confidence  in  our  nation's  health  care.  These  rules,  however,  are  by 
no  means  the  final  solution.  By  virtue  of  the  limited  authority  delegated  by  Congress,  the 
proposed  rules  have  limited  applicabihty  and  cover  only  health  plans,  health  care  clearinghouses 
and  health  care  providers  who  transmit  health  information  ("covered  entities")  in  electronic 
form.  We  appreciate  the  fact  that  the  Secretary  has  made  a  strong  effort  to  extend  this  coverage 
to  a  covered  entity's  business  partners.  But  a  large  segment  of  those  who  hold  health  information 
remains  beyond  the  scope  of  these  regulations.  In  addition,  the  Secretary  is  unable  to  confer  on 
individuals  a  private  right  of  action  in  the  event  the  rules  are  violated.  Only  Congress  can  fill 
these  significant  gaps. 

The  draft  regulations  give  people  the  right  to  see  and  copy  their  own  health  information, 
and  to  request  that  it  be  corrected  or  amended.  We  commend  this  effort  to  extend  these  fair 
information  practices  to  health  information. 

The  proposed  rules  also  govern  the  flow  of  health  information.  The  regulations  would 
allow  health  information  to  be  used  and  shared  easily  for  treatment,  payment  and  health  care 
operations,  without  the  consent  of  the  patient.  While  we  understand  the  need  to  strike  a  balance 
between  individuals'  privacy  rights  and  the  practical  necessity  of  using  and  disclosing  health 
information  for  certain  purposes,  we  believe  that  the  proposed  regulations  give  too  little  weight 
to  individual  rights.  Under  the  proposed  rules,  people  have  no  ability  to  control  or  even  monitor 
the  use  and  disclosvue  of  protected  health  information  for  purposes  of  treatment,  payment  and 
health  care  operations.  We  find  this  particularly  disturbing  given  the  Secretary's  proposed 
construction  that  '^treatment"  includes  the  treatment  of  all  individuals,  not  just  the  individual 
subject  of  the  information. 

There  are  a  host  of  other  specific  disclosures,  such  as  to  law  enforcement,  which  are  also 
permitted  without  patient  authorization  under  the  proposed  regulations.  We  are  encouraged  by 
the  Secretary's  shift  towards  providing  more  protective  procedures  prior  to  allowing  disclosures 
of  health  information  to  law  enforcement  officials.  We  believe  that  further  protections  are 
necessary  in  this  section  to  bolster  public  trust  and  confidence  that  their  health  information  will 
not  be  used  against  them  improperly. 

In  short,  we  believe  the  proposed  privacy  regulations  are  an  important  step  towards 
protecting  health  information,  but  that  much  work  remains  to  be  done. 
SUMMARY  OF  COMMENTS  BY  TOPIC 

A-       Rigbt  of  Privacy 

The  current  regulations  do  not  expressly  state  that  they  are  intended  to  define  and 
protect  the  rights  of  individuals  in  their  individually  identifiable  health  information.  We 
suggest  that  the  regulations  be  amended  to  reflect  this  intent 
See  car  comments  under  "Need  for  Privacy  Standards.'* 

B.       What  Is  Covered 

The  draft  regulations  only  apply  to  electronic  health  information,  but  the  vast 
majority  of  health  information  is  currently  maintamtvl  -n  pacer  form.  We  recommend 
that  the  regulations  be  revised  to  cover  all  health  information,  in  whatever  form  that  is 


104 


maintained  or  transmitted  by  covered  entities. 
See  oar  comments  ander  ^Applicability.'* 

We  are  concerned  that  the  regulations  apply  to  the  protected  health  information  of 
a  deceased  person  only  for  a  two-year  period  after  death.  We  suggest  that  this 
information  be  protected  for  as  long  as  it  is  maintained  by  a  covered  entity. 
See  our  comments  under  '^Deceased  Persons.^ 


C.       Who  Is  Covered 

By  statute,  the  Secretary  can  directly  regulate  only  health  care  providers,  health 
plans  and  health  care  clearinghouses,  all  of  which  are  defined  as  "covered  entities."  The 
Secretary  attempts  to  extend  this  coverage  indirectly  by  requiring  covered  entities  to  have 
contracts  restricting  uses  and  disclosures  with  their  "business  partners,"  i.e.,  certain 
persons  and  organizations  to  whom  they  disclose  protected  health  information.  Although 
we  would  prefer  comprehensive  legislation  directly  controlling  those  who  have  access  to 
protected  health  information,  we  commend  the  Secretary  on  her  efforts  to  encompass  as 
broad  a  field  as  possible  under  the  proposed  regulations.  We  also  urge  Congress  to  fill 
these  gaps  in  coverage  directly. 

The  Secretary  also  attempts  to  address  the  circumstance  under  which  an 
organization  provides  some  health  care  or  has  created  a  health  plan,  but  is  not  primarily 
engaged  in  these  activities  (such  as  a  school  that  has  an  infirmary).  Although  the 
Secretary  discusses  treating  only  the  health  care  component  as  a  "covered  entity",  the 
regulations  do  not  expressly  carry  out  this  intent.  We  suggest  that  this  intent  to  designate 
only  the  health  care  component  of  a  mixed  entity  as  a  "covered  entity"  be  incorporated  in 
the  regulations.  Additionally,  the  Secretary's  explanation  concerning  employers  and  how 
they  fit  into  the  regulatory  scheme  is  somewhat  confiising.  We  suggest  that  the  Secretary 
clarify  the  responsibilities  of  employers  that  sponsor  health  plans. 
See  oar  comments  under  '^Applicability,'*  **Basiness  Partners,**  'HTompoiient 
Entities,**  and  ''Banking  and  Payment** 


D.       Patient  Access 

We  strongly  support  individuals  being  given  the  right  to  see,  copy  and  correct 
their  health  information.  We  believe,  however,  that  the  Secretary  has  used  a  somewhat 
minimalist  approach  towards  these  rights.  In  our  comments,  we  suggest  a  number  of 
ways  in  which  the  right  of  access  can  be  made  more  meaningful.  Our  major  suggestions 
include: 

♦  The  decision  to  deny  an  individual's  request  for  access  to  his  health 
information  should  ultimately  be  made  by  a  health  care  provider  who  is 
qualified  to  treat  the  patient  for  the  condition  that  is  the  subject  of  the  health 
information; 

4  There  should  be  a  meaningful  appeals  process  for  denials  of  access  to  health 
information;  and 

♦  The  regulations  should  expressly  state  that  a  covered  provider  may  not  deny 
an  individual  access  to  his  protected  health  information  because  of  an  unpaid 
bill  for  health  care  services. 

See  our  comments  under:  '^ Access  for  Inspection  and  Copying,**  '* Accounting  of 
Disclosures,**  and  "Amendment  or  Correction.** 


E.       Fair  Information  Practices  -  Notice  of  Information  Practices  and  Disclosing 
only  the  Minimum  Amount  of  Information  Necessary 
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The  regulations  give  individuals  the  right  to  receive  adequate  notice  of  the 
infonnation  practices  of  covered  plans  and  providers.  We  approve  of  this  approach.  We 
are  also  pleased  dial  the  regulation  requires  the  notice  to  address  the  entity's  existing 
mformation  practices,  rather  than  possible  infonnation  practices,  and  suggest  that  this 
component  of  the  regulation  be  preserved.  We  recommend  changes  that  strengthen  the 
notice  provisions,  including  a  requirement  that  covered  entities  make  a  reasonable  effort 
to  obtain  a  signed  acknowledgment  that  the  individual  has  received  and  read  the  notice  of 
information  practices. 

See  our  comments  ander  *^Notice  of  Information  Practices'*  and  Adherence  to 
Notke." 

The  proposed  regulation  requires  organizations  to  "make  all  reasonable  efforts  not 
to  use  or  disclose  more  than  the  minimum  amount  of  protected  health  information 
necessary  to  accompUsh  the  intended  purpose  of  the  use  or  disclosure."  We  beheve  that 
this  is  the  proper  approach  but  that  it  does  not  go  far  enough  because  it  does  not  apply  to 
a  large  number  of  uses  and  disclosures.  We  urge  the  Secretary  to  extend  this 
minimization  requirement  to  most  uses  and  disclosures. 
See  our  comments  under  '^Minimum  Necessary." 

F.       Patient  Authorizatioo  iWot  Required  for  Treatment,  Payment  and  Health 
Care  Operations 

The  proposed  regulations  allow  health  providers,  health  plans  and  health  care 
clearingjiouses  to  use  and  disclose  protected  health  information  without  any  patient 
authorization  for  treatment,  payment  and  health  care  operations.  The  Secretary  intends 
that  these  terms  be  construed  broadly  as  applying  to  the  treatment  and  payment  of  all 
individuals,  not  just  the  person  who  is  the  subject  of  the  information.  Additionally,  the 
Secretary  intends  to  preclude  health  care  providers  from  seeking  authorizations  for 
treatment  We  strongly  disagree  with  the  Secretary's  approach,  which  allows  the  total 
free-flow  of  information  for  these  purposes  without  any  input  from  the  individual  and 
without  any  mechanism  for  the  individual's  being  able  to  verify  that  the  infonnation  is 
being  used  and  disclosed  for  the  proper  reasons.  We  specifically  request  that  the 
following  changes  be  made: 

♦  The  regulations  should  require  authorization  from  the  individual  for  the  use 
and  disclosure  of  information  for  treatment,  payment  and  health  care 
operations,  which  should  be  renewed  at  least  once  every  three  years  or 
whenever  the  patient  changes  insurance  companies,  whichever  occurs  first. 

♦  The  final  regulations,  at  a  minimum,  should  allow  entities  to  have  the  option 
to  require  patient  authorization  for  treatment,  payment  and  health  care 
operations. 

♦  The  terms  "treatment"  and  "payment"  should  be  narrowly  interpreted  as 
applying  to  the  individual  who  is  the  subject  of  the  information. 

♦  The  definition  of  "treatment"  should  be  amended  to  ensure  that  disease 
management  programs  are  only  conducted  with  the  authorization  of  the 
treating  physician. 

♦  The  regulation  should  expressly  state  that  the  term  "health  care  operations" 
includes  only  disclosures  made  to  the  covered  entity  (or  a  business  partner  of 
such  entity)  on  whose  behalf  the  operation  is  being  performed. 

♦  The  regulations  should  hmit  the  definition  of  health  care  operations  to  include 
only  those  operations  that  caimot  be  carried  on  with  reasonable  effectiveness 
and  efficiency  without  protected  health  information. 
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♦  Health  care  providers  should  be  subject  to  the  verification  requirements  of  the 
regulations  when  the  request  for  information  for  treatment  purposes  originates 
outside  of  the  covered  entity. 
See  our  comments  uoder  '^Treatment,  Payment  and  Health  Care  Operations.** 


G.      Patient's  Right  to  Restrict  Disclosures 

The  proposed  regulations  give  an  individual  the  right  to  request  restrictions  on  the 
use  and  disclosure  of  protected  health  information  for  purposes  of  treatment,  payment, 
and  health  care  operations.  That  request  can  only  be  made  to  a  health  care  provider,  and  it 
must  be  agreed  to  by  that  provider.  We  suggest  that  the  regulations  be  amended  in  the 
following  ways: 

♦  Allow  individuals  to  have  a  tnie  right  to  restrict  (not  just  the  right  to  request 
restrictions  on)  the  use  and  disclosure  of  their  protected  health  information 
where  the  disclosure  of  that  information  could  jeopardize  the  safety  of  the 
individual. 

♦  Allow  individuals  who  pay  for  their  own  medical  care  (self-pay)  to  have  a  true 
right  to  restrict  the  disclosure  of  their  protected  health  infonnation. 

♦  Allow  individuals  to  require  or  request  restrictions  fi-om  all  covered  entities, 
not  just  health  care  providers. 

♦  Require  all  covered  entities  that  receive  health  care  infonnation  that  are 
subject  to  a  restriction  to  comply  with  the  restriction. 

See  our  comments  under  ''Right  to  Request  Restrictions.'* 


H.      Psychotherapy  Notes 

We  strongly  commend  the  Secretary  for  excepting  psychotherapy  notes  firom  the 
general  rule  allowing  the  free  flow  of  information  for  treatment,  payment  and  health  care 
operations  purposes.  The  proposed  regulations  limit  access  to  psychotherapy  notes, 
absent  specific  consent  from  the  individual.  We  believe,  however,  additional  protections 
are  critical  for  ensuring  the  level  of  privacy  essential  for  effective  mental  health  care. 
See  our  comments  under  '^Treatment,  Payment  and  Health  Care  Operations.** 

L        Patient  Authorization  Required 

We  support  the  regulations'  requirement  that  covered  entities  obtain  an 
authorization  from  the  individual  for  most  uses  and  disclosures  that  are  not  directly 
related  to  treatment,  payment  or  health  care  operations.  We  also  strongly  agree  diat 
consent  must  be  voluntary,  and  caimot  be  tied  to  the  delivery  of  any  benefits  or  service. 
In  addition  to  these  requirements,  we  recommend  that  covered  entities  be  required  to 
obtain  individual  authorization  prior  to  making  certain  disclosures  of  information 
pertaining  to  an  individual's  request  or  receipt  of  sensitive  health  services. 
See  our  comments  under  '^Individual  Authorization.** 


J.       Law  Enforcement 

We  acknowledge  the  positive  shift  in  the  Secretary's  approach  from  her  1997 
position  that  law  enforcement  should  continue  to  have  unfettered  access  to  medical 
records,  however  this  proposal  continues  to  fall  far  short  of  meaningful  standards.  We 
urge  that  the  final  regulation  include  requirements  that: 

♦   law  enforcement  officials  obtain  legal  process  issued  by  a  neutral 
magistrate,  and 
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♦   legal  process  issue  only  after  the  magistrate  has  applied  a  strong  legal 
standard  in  weighing  the  request 
See  oar  commeiits  ander  "Law  EDforcement" 


K      Miaors'  Rights 

We  gaierally  are  pleased  with  the  way  the  Secretary  has  handled  the  rights  of 
minors  under  the  proposed  regulations.  In  particular,  we  endorse  the  preservation  of  the 
status  quo  thai  provides  that  when  a  minor  lawfiilly  obtains  a  health  care  service  without 
the  consent  of  or  notification  to  a  parent,  the  minor  has  the  exclusive  right  to  exercise  the 
ri^ts  of  an  individual.  We  recommend  a  number  of  changes  to  the  proposed  regulations 
that  would  stroigtben  minors'  rights. 

See  OUT  commeBts  ander  "Defiaitioos  -  Ifldhidaai,''  *^  Directory  Iflformation,'' 
''Reiatioaskip  to  State  Laws,"  aad  "Access  for  laspection  and  Copying." 


L.  Research 

We  support  the  general  approach  towards  research  in  the  regulations.  We  are 
pleased  that  the  regulation  aims  to  establish  uniform  rules  for  researchers  regardless  of 
the  source  of  funding.  The  regulation  seeks  to  accompUsh  this  goal,  however,  by 
allowing  covered  entities  to  disclose  protected  health  information  to  researchers  without 
patient  autborizatioo  if  the  disclosure  has  been  approved  by  an  Institutional  Review 

Board  (IRB),  or  a  newly  created  pnvacy  board.  We  believe  that  the  Secretary  should 
eliminate  the  option  of  using  a  privacy  board. 

If  the  regulation  does  not  bring  all  research  under  the  Common  Rule,  the  proposed 
regulation  should  be  revised  to  ensure  that  there  are  similar  standards  and  equal  oversight 
and  accountability  for  both  ERBs  and  privacy  boards. 

See  oar  comments  under  "Research,"  "Defiaitioos  -  Research  informatioa  oorelated 
to  treatment,  health  infonnatioa,  and  indrvidaaUy  identifiable  health  informatioa," 
aad  "Deceased  Persons." 


M.      JodiciaJ  and  Administrative  Hearings 

We  appreciate  the  Secretary's  approach  in  section  164.510(dXl)  which  limits 
disclosures  of  protected  health  information  to  cases  where  parties  have  obtained  a  court 
or  administrative  order,  or  in  cases  where  the  individual  who  is  the  subject  of  the 
information  is  a  party  to  the  proceeding  and  his  or  her  medical  condition  or  history  is  at 
issue.  We  are  concerned,  however,  that  there  is  still  the  potential  for  real  damage  to 
individuals  because  the  rule  does  not  go  far  enough  to  establish  proper  limits  with  regard 
to  judicial  and  administrative  proceedings.  We  therefore  suggest  that  the  following 
changes  be  made: 

♦  Specify  minimum  information  that  must  be  included  in  court  and 
administrative  orders  requiring  disclosure  of  protected  health  information; 

♦  Specify  that  disclosing  not  pursuant  to  a  court  order  must  be  limited  to  the 
amount  reasonably  necessary  to  respond  to  the  subpoena;  and 

♦  Provide  that  covered  entities  may  not  disclose  information  unless  the 
individual  who  is  the  subject  of  the  information  or  the  individual's 
representative  has  had  a  reasonable  opportunity  to  object  to  the  disclosure. 

See  oor  comments  under  "Judicial  and  Administrative  Proceedings." 
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N.      Health  Oversight 

We  arc  deeply  concerned  that  the  health  oversight  section  contains  too  few  limits 
on  access  and  reuse  of  protected  health  information.  We  urge  that  the  final  regulation 
include  a  bar  on  the  re-use  and  re-disclosure  of  protected  health  information  in  actions 
against  individuals.  Such  a  limit  is  essential  to  ensure  that  the  relatively  easy  access 
afforded  to  health  oversight  officials  does  not  become  the  back-door  for  law  enforcement 
access.  We  believe  it  is  critical  for  the  Secretary  to  clearly  distinguish  between  law 
enforcement  access  and  access  to  conduct  health  oversight  activities. 
See  oar  coDunents  under  '^Health  Oversight'' 
O.  PreemptioB 

We  strongly  support  die  approach  in  HIPAA  and  the  proposed  regulations  that  the 
federal  privacy  regulations  will  act  as  a  floor,  but  not  a  ceiling,  on  privacy  protections 
afforded  by  the  States.  Under  this  approach,  weaker  State  health  privacy  laws  are 
preempted  (or  overridden)  while  State  laws  that  offer  more  protection  than  the  federal 
regulations  will  remain.  Furthermore,  this  approach  allows  a  State,  in  the  fiiture,  to  enact 
stronger  privacy  protections  to  meet  the  changing  needs  of  its  citizens. 

We  believe  that  the  regulations  should  provide  definitions  of  the  terminology  used 
in  the  preemption  provisions  for  general  purposes,  not  just  for  use  in  the  Secretary's 
advisory  opinions.  We  also  believe  that  the  regulation  should  treat  state  laws  pertaining 
to  disclosures  about  minors  the  same  as  other  state  laws  generally,  preempting  state  laws 
that  are  contrary  to  the  proposed  rule  and  less  protective  of  the  privacy  of  minors.  Lastly, 
we  are  very  concerned  about  the  breadth  of  the  provision  under  which  a  State  may 
request  a  waiver  that  would  allow  a  weaker  State  health  privacy  law  to  stand,  essentially 
making  the  analogous  federal  regulation  inapplicable  in  that  State. 
See  our  comments  under  '^Relationship  to  State  Laws.** 


P.  Enforcement 

We  recognize  that  the  Secretary  is  limited  in  addressing  enforcement  mechanisms 
by  the  delegation  of  authority  in  HBPAA.  Thus,  it  is  critical  that  the  Congress  act  to  grant 
people  a  private  right  of  action  to  enforce  their  rights  under  this  regulation. 
See  onr  comments  nndcr  '^Compliance'*  and  ''Enforcement'* 

NEED  FOR  PRIVACY  STANDARDS 
Section  160.101       Sutntory  basis  and  purpose. 
SUMMARY 

The  purpose  of  the  regulations,  as  specified  in  section  160.101.  is  **to  promote  administrative 
simplification."  We  believe  diis  regulation  should  also  expressly  state  that  the  purpose  of  the 
proposed  privacy  regulations  is  to  define  and  protect  the  rights  of  individuals  in  ttwir  individually 
identifiable  health  infomiation. 


Recommendation: 

Section  160. 101  should  be  amended  to  expressly  state  that  one  of  the  purposes  of  the  privacy 
provisions  is  to  define  and  protect  the  rights  of  individual's  individually  identifiable  health 
infomution.  The  preamble  should  also  expressly  state  that  the  proposed  privacy  regulations  arc 
intended  to  serve  individuals. 

Rationale: 

Section  264  of  HIPAA  directed  the  Secretary  to  submit  recommendations  to  Congress 
addressing,  among  other  things,  the  rights  that  an  individual  who  is  a  subject  of  individually 
identifiable  health  information  should  have.  HIPAA  then  specifies  that  if  Congress  fails  to  pass 
legislation  governing  standards  with  respect  to  the  privacy  of  individually  identifiable  health 
information,  the  Secretary  is  to  promulgate  regulations  containing  such  standards.  The  Act 
specifically  directs  the  Secretary  to  address  the  rights  an  individual  who  is  the  subject  of 
individually  identifiable  health  information  should  have. 
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In  the  Recommendations  of  the  Secretary  of  Health  and  Human  Services  submitted  to  Congress 
in  1997,  the  Secretary  recognized  that  "patients  have  a  legitimate  need  for  assurance  of  the 
confidentiality  that  permits  them  to  be  frank  with  their  physicians  about  their  health  conditions 
and  behavior.  That  assurance  is  fundamental  to  effective  diagnosis,  treatment  and  healing,  and  to 
the  privacy  that  we  in  the  United  States  cherish  as  essential  to  personal  freedom  and  well-being." 
Confidentiality  of  Individually  -  Identifiable  Health  Information.  Recommendations  of  the 
Secretary  of  Health  and  Human  Services,  submitted  to  the  Committee  on  Labor  and  Human 
Resources  (September  11, 1997)  at  3.  After  explaining  the  general  principles  of  the  proposals  for 
health  privacy  principles,  the  Secretary  noted  that  the  principles  '"were  designed  to  serve 
patients."  Recommendations  at  7. 

The  Secretary's  proposed  privacy  standards  closely  track  her  recommendations  to  Congress  in 
most  areas  and  demonstrate  a  similar  intent  to  protect  the  privacy  of  individuals.  In  the  preamble 
to  the  proposed  regulations,  the  Secretary  notes  that  "[t]he  use  of  these  standards  will  most 
clearly  benefit  patients  who  are,  in  increasing  numbers,  indicating  that  they  are  apprehensive 
about  the  use  and  potential  use  of  their  health  information  for  inappropriate  purposes."  64  Fed. 
Reg.  59920  (Nov.  3,  1999).  Additionally,  in  discussing  die  need  for  die  proposed  regulations,  the 
Secretary  notes  that  "privacy  is  a  fundamental  right"  64  Fed.  Reg.  60008.  The  discussion  also 
states  that  the  regulation  is  a  major  step  toward  addressing  the  public  concern  with  the  loss  of 
control  over  their  personal  information.  64  Fed.  Reg.  60010.  We  believe  that  the  preamble  also 
should  expressly  state  that  the  proposed  privacy  regulations  are  intended  to  protect  these  privacy 
rights. 

Specifically,  we  recommend  that  the  last  sentence  of  section  160.101  be  amended  as  follows: 

The  purpose  of  these  provisions  is  to  promote  administrative  sin|)Ufication  and  to 
define  and  protect  the  riehts  of  individuals  in  their  individually  identifiable  health 
information. 


These  conmients  on  "Need  for  Privacy  Standards"  have  been  endorsed  by  the  following: 

American  Association  of  People  with  Disabilities 
American  Psychoanalytic  Association 

Association  of  Women's  Health,  Obstetric  and  Neonatal  Nurses 
Bazelon  Center  for  Mental  Health  Law 
Committee  for  Children 

Consortium  for  Citizens  with  Disabilities  Privacy  Working  Group 
Families  USA 

Federation  of  Families  for  Children's  Mental  Health 
Human  Rights  Campaign 
Justice  for  All 

Myositis  Association  of  America 
National  Association  of  People  With  AIDS 
National  Organization  for  Rare  Disorders 
National  Partnership  for  Womoi  and  Families 
Privacy  Rights  Clearinghouse 
Women's  Law  Project 
Kathleen  M.  Mogul  MD 
Sharyn  F.  Barson,  MSS,  ACSW,  LCSW 
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APPLICABILITY 

Section  164^2  Applkability. 

SUMMARY 

Currently,  the  draft  regulation  does  not  cover  a  large  amount  of  health  care  information  because 
it  includes  two  significant  limitations: 

1 .  The  regulation  only  applies  to  certain  entities:  health  plans,  providers,  and 
clearinghouses. 

2.  The  draft  regulation  only  applies  to  electronic  health  informatioiL 

We  recognize  that  the  scope  of  entities  covered  by  the  regulations  is  limited  by  the  terms  of 
mPAA,  and  that  the  Secretary  has  attempted  to  cover  as  many  entities  as  possible  given  her 
Umited  delegated  authority.  By  limiting  the  regulations  to  health  plans,  health  care 
clearinghouses  and  certain  health  care  providers,  however.  Congress  has  left  a  large  number  of 
entities  that  actually  receive  health  information  unregulated,  leaving  large  gaps  in  the  protection 
afforded  health  information.  The  only  way  to  eliminate  these  gaps  is  for  Congress  to  enact  a 
compr^ensive  health  privacy  law.  We  therefore  strongly  urge  Congress  to  pass  a  comprehensive 
health  privacy  law  apphcable  to  all  of  those  who  generate,  maintain  or  receive  protected  health 
infonnatiorL 

We  believe,  however,  that  the  Secretary  of  Health  and  Human  Services  currently  has  the 
authority  to  promulgate  regulations  that  apply  to  all  health  information  —  whether  it  is 
maintained  in  electronic  or  paper  format  —  used  and  disclosed  by  those  entities. 

Recommendation: 

The  privacy  standards  should  ^ply  to  all  individually  identifiable  health  information  in  any  form 
maintained  or  transmitted  by  a  covered  entity. 

Rationale: 

Under  Section  164.502,  the  draft  regulations  only  apply  to  "protected  health  information"  which 
is  defined  in  Section  164.504  as  individually  identifiable  health  information  which  at  some  point 
has  been  transmitted  or  maintained  electronically  by  a  covered  entity.  The  effect  of  this  approach 
is  to  leave  a  large  portion  of  health  information,  including  that  maintained  in  paper  form, 
improtected.  The  vast  m^ority  of  health  information  is  curroitly  maintained  in  pq>er  form.  This 
information  should  be  protected. 

In  their  current  form,  the  regulations  distinguish  between  health  information  that  at  some  point 
has  been  electronically  maintained  or  transmitted  and  that  which  has  not  This  distinction  is 
nonsensical,  unworkable  and  unenforceable.  At  some  point,  some,  but  not  all,  of  the  information 
in  the  record  may  be  transmitted  electronically.  Under  the  current  proposal,  the  paper  record 
would  then  contain  both  protected  information  (i.e.,  information  that  has  been  electronically 
transmitted),  and  unprotected  information  (information  which  has  not  been  so  transmitted).  It 
would  be  burdensome  and  difficult  to  identify  and  designate  which  information  in  any  particular 
record  is  protected. 

It  would  be  easier  for  a  covered  entity  to  treat  all  information  it  maintains  or  transmits  in  the 
same  fashion.  Additionally,  for  enforcement  purposes,  it  may  prove  difficult,  if  not  impossible, 
to  establish  that  specific  health  information  at  some  point  in  its  existence  has  been  transmitted  or 
maintained  electronically  and,  therefore,  is  subject  to  the  regulations.  The  best  way  to  reduce 
these  implementation  and  enforcement  ambiguities  is  to  make  the  privacy  standards  applicable  to 
all  individually  identifiable  health  information  transmitted  or  maintained  by  a  covered  entity 
regardless  of  its  form. 
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In  additicMi,  ±e  administrative  simplification  provisions  of  HIPAA  appear  to  encourage  the 
development  of  a  uniform  computer-based  health  information  system.  This  goal  is  impeded  by 
allowing  paper  records  to  remain  beyond  the  scope  of  the  regulations.  There  is  little  mcentive 
for  covered  entities  to  convert  to  computer-based  health  information  systems  if  they  may  avoid 
regulation  by  maintaining  paper-based  systems. 

The  question  remams:  does  the  Secretary  of  HHS  have  the  authority  under  HIP.AA  to  cover 
paper  records?  Under  HIPAA,  the  Secretary  has  the  authority  to  promulgate  privacy  standards 
that  apply  to  all  individually  identifiable  health  information  transmitted  or  maintained  by  a 
covered  entity,  including  information  in  a  non-electronic  form.  Section  264(c)  of  HIPAA  does 
not  exclusively  limit  the  scope  of  protection  to  electronic  information. 

First,  the  statutory  language  —  "transmitted  in  connection  with  the  transactions  described  in 
section  1 173(a)"  —  on  its  face  is  not  limited  to  electronic  transmissions  of  individually 
identifiable  health  information.  V^Tule  the  transactions  defined  in  section  1 173(a)  can  be 
pefonned  electronically,  they  also  take  non-electronic  form. 

Second,  section  264(c)  requires  the  regtilations  to  address  "at  least"  the  subjects  of  the 
Secretary's  Recommendations,  which  focus  on  individually  identifiable  health  information  and 
make  no  references  to  electronic  information.  This  implies  that  the  Secretarv'  has  the  ability  to 
address  other  subjects  as  well.  .As  defined  in  section  1171(6),  individ-ually  identifiable  health 
information  clearly  covers  electronic  and  non-electronic  information. 

.And  finally,  in  HIPAA,  when  Congress  intended  to  limit  health  information  to  its  electronic 
form,  it  did  so  explicitiy,  as  in  section  1 172(aX3). 

In  sum,  it  appears  that  the  Secretary  has  the  authority  to  promulgate  regulations  encompassing 
both  eiectronic  and  non-electronic  information.  The  Secretary  should  utilize  this  au±ority  to  the 
ftiU  extent  possible  and  make  the  privacy  standards  applicable  to  all  individually  identifiable 
health  information,  regardless  of  its  form.  Adopting  this  approach  would  afford  a  higher  degree 
of  protection  for  this  sensitive  inforaiation,  make  the  privacy  standards  easier  to  implement  and 
enforce,  and  further  HCPAA's  goal  of  encouraging  a  computer-based  health  information  system. 

These  comments  on  "Applicability"  have  been  endorsed  by  the  following  organizations: 

American  Association  of  People  with  Disabilities 
Association  of  Women's  Healdi,  Obstetric  and  Neonatal  Nurses 
Bazelon  Center  for  Mental  Health  Law 
Committee  for  Children 

Consortium  for  Citizens  with  Disabilities  Privacy  Working  Group 
Families  USA 

Federation  of  Families  for  Children's  Mental  Health 
Human  Rights  Campaign 
Justice  for  AH 

Myositis  Association  of  America 
National  Association  of  People  With  .AIDS 
National  Organization  for  Rare  Disorders 
National  Partnership  for  Women  and  Families 
Privacy  Rights  Clearinghouse 
Women's  Law  Project 
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DEFIMTIONS 

Sections  160.103, 164.504  Definitions. 

Section  164.508  Uses  and  disclosures  for  which  individual 

authorization  is  required. 

SUMMARY 

Overall,  we  are  pleased  with  the  definitions  in  the  proposed  rule.  We  have  specific  comments  on 
the  following  definitions: 

♦  Covered  Entity 

♦  Protected  Health  Information 

♦  Health  Care  Operations 

♦  Research  Information  Unrelated  to  Treatment 

♦  Health  Information 

♦  Individual  (Rights  of  Minors) 

♦  Treatment 


1.  COVERED  ENTITY 
Recommendation : 

The  regulations  should  expressly  provide  that  with  respect  to  persons  or  organizations  that 
provide  health  care  or  have  created  health  plans  but  are  primarily  engaged  in  other  unrelated 
activities,  the  term  "covered  entity"  encompasses  only  the  health  care  component  of  that  entity. 

Rationale: 

Designating  the  discreet  health  care  component  of  a  mixed  entity  as  the  "covered  entity"  is 
necessary  to  prevent  the  movement  of  protected  health  information  into  another  component  of 
the  organization  where  it  might  be  used  or  disclosed  improperly.  For  example,  while  we  do  not 
expect  employers  in  their  entirety  to  be  covered  entities,  we  would  expect  that  the  component  of 
the  employer  that  sponsors  a  covered  ERISA  plan  is  a  covered  entity.  Any  protected  health 
information  that  is  shared  between  the  sponsor  of  the  ERISA  plan  and  other  components  of  the 
employer  would  be  considered  a  disclosiu-e  for  the  purposes  of  the  regulation. 

From  the  explanation  accompanying  the  proposed  regulations,  it  is  clear  that  the  Secretary 
intended  this  result.  In  order  to  fully  implement  this  approach,  however,  this  designation  should 
be  expressly  incorporated  into  the  regulations.  As  they  are  written,  the  proposed  regulations  do 
not  expressly  state  that  with  respect  to  a  mixed  entity  of  which  only  a  portion  is  primarily 
engaged  in  health  care  activities,  the  term  "covered  entity"  encompasses  only  the  health  care 
component  of  that  entity.  To  avoid  any  potential  future  claims  of  ambiguity,  the  definition  of 
covered  entity  should  facially  reflect  the  regulatory  intent  that  it  includes  only  the  health  care 
component  of  these  mixed  entities. 

We  have  also  addressed  this  issue  elsewhere  in  our  comments,  under  "Component  Entities." 

2.  PROTECTED  HEALTH  INFORMATION 
Recommendation: 

Protected  health  information  should  be  defined  as  individually  identifiable  health  information  in 
any  form  —  paper  or  electronic  —  that  has  been  maintained  or  transmitted  by  a  covered  entity. 

Rationale: 

We  reconmiend  that  the  Secretary  utilize  her  full  authority  and  promulgate  privacy  standards  that 
apply  to  all  individually  identifiable  health  information  transmitted  or  maintained  by  a  covered 
entity,  including  information  in  a  non-electronic  form.  (See  our  comments  on  "Applicability.") 
The  definition  of  protected  health  infonnation  should  be  revised  to  reflect  this  scope  of 
applicability. 
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3.  HEALTH  CARE  OPERATIONS 
Reconimendatioa : 

The  regulations  should  limit  the  definition  of  health  care  operations  to  include  only  those 
operations  that  cannot  be  carried  on  with  reasonable  efifectiveness  and  efficiency  without 
protected  health  information. 

RAtiosaJe: 

Many  of  the  activities  conducted  under  the  aegis  of  health  care  operations  can  be  carried  out  with 
information  that  does  not  identify  individual  patients.  We  believe  this  is  an  area  where  the 
regulations  can  effectively  encourage  the  use  of  de-identified  information. 

Hawaii  has  taken  such  an  approach  in  its  recently  enacted  Privacy  of  Health  Care  Information 
Act,  Haw.  Rev.  StaL  Sec.  323C-1  et  seq.  (effective  July  1,  2000).  Hawaii  allows  covered  entities 
to  use  or  disclose  protected  health  information  for  "qualified  health  care  operations,"  which,  like 
the  proposed  federal  regulations,  includes  those  activities  conducted  by  or  on  behalf  of  a  health 
plan  or  provider  for  the  purpose  of  carrying  out  management  functions  or  implementing  the 
terms  of  a  contract  for  health  plan  benefits.  See  Haw.  Rev.  StaL  Sees.  323C-21(b)  and  323C-1 
(defining  "qualified  health  care  operations"). 

Hawaii,  however,  includes  a  series  of  additional  restrictions  which  encourage  the  use  of  de- 
idcntified  information.  Two  of  these  restrictions  should  be  incorporated  into  the  federal 
regulations'  definition  of  health  care  operations.  The  definition  of  health  care  operations  for 
purposes  of  the  federal  regulations  should  be  limited  to  those  operations  that: 

♦  cannot  be  carried  on  with  reasonable  effectiveness  and  efficiency  without  identifiable 
patient  information;  and 

♦  utilize  only  that  protected  health  information  collected  under  the  terms  of  the  contract 
for  health  plan  benefits  and  without  which  the  opmtion  caimot  be  carried  on  with 
reasonable  effectiveness  and  efficiency. 

See,  e.g..  Haw.  Rev.  StaL  §  323C-1. 

(We  note  thaL  rather  than  changing  the  definition  of  "health  care  operations"  a  similar  result  can 
be  achieved  by  including  our  suggested  limitations  in  section  164.506(a)(1)  of  the  proposed 
fisleral  regulations.) 

We  believe  that  this  approach  is  consistent  with  the  Secretary's  general  encouragement  of  the  use 
of  de-identified  health  information-  We  strongly  encourage  the  adoption  of  such  limitations  on 
the  use  of  protected  health  information  for  health  care  purposes  in  the  federal  regulations. 

4.  RESEARCH  INFORMATION  UNRELATED  TO  TREATMENT 
Recommendation : 

The  definition  of  "research  information  unrelated  to  treatment"  should  be  revised  to  ensure  that 
once  information  is  classified  as  such,  it  can  not  be  re-classified  as  something  else  at  a  later  date. 
Section  164.508(aX3Xiv)(B)  should  be  revised  to  read: 

Research  information  unrelated  to  treatment  means  health 
information  that  is  received  or  created  by  a  covered  entity  in  the 
course  of  conducting  research,  for  which  there  is  insufficient 
scientific  and  medical  evidence  regarding  the  vahdity  or  utihty  of 
the  information  at  the  time  of  collection  such  that  it  should  not  be 
used  for  the  purpose  of  providing  health  care,  and  with  respect  to 
which  the  covered  entity  has  not  requested  payment  fi-om  a  third 
party  payor. 

Rationale: 

In  ordCT  for  information  to  be  "research  information  unrelated  to  treatment"  there  must  be 
"insufficient  scientific  and  medical  evidaice  regarding  the  validity  or  utihty  of  the  information-" 
[Sec.  164.508  (a)  (3)  (iv)  (B)]  We  tiiink  that  this  is  an  appropriate  test.  We  believe,  however. 
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that  without  qualiiying  language,  this  infonnation  would  be  vuhierable  to  disclosure  in  die 
future,  if  the  information  were  later  to  become  of  scientific  validity. 

The  regulation  should  be  clear  that  once  infonnation  is  considered  "research  infonnation 
unrelated  to  treatment"  it  remains  that  way.  This  is  especially  important  given  that  "research 
information  unrelated  to  treatment"  is  afforded  a  higher  degree  of  protection  under  the  proposed 
regulation.  Individuals  may  rely  on  this  higher  degree  of  confidentiality  when  consenting  to  the 
collection  of  the  information  in  the  first  instance.  This  confidentiality  should  not  be  betrayed  in 
the  fiiture  just  because  the  utility  of  the  infomiation  has  changed. 


5.       HEALTH  INFORMATION 
Recommendation : 

The  definition  of  health  information  should  be  revised  to  include  infonnation  created  or  received 
by  a  researcher. 

Rationale: 

The  proposed  regulation  defines  health  infonnation  to  include  infonnation  that  is  "created  or 
received  by  a  health  care  provider,  health  plan,  pubhc  healdi  authority,  employer,  life  insurer, 
school  or  university,  or  health  care  clearinghouse."  The  definition  notably  does  not  include  a 
researcher. 

The  definition  of  health  infonnation  is  particularly  critical  because  the  definitions  of 
"individually  identifiable  health  infonnation"  and  "protected  health  information"  build  on  this 
definition.  In  so  far  as  this  definition  is  used  to  establish  continuity  between,  or  a  model  for, 
comprehensive  federal  legislation,  it  is  important  to  ensure  that  researchers  using  health 
information  are  subject  to  federal  privacy  standards. 


6.  INDIVIDUALLY  IDENTIITABLE  HEALTH  INFORMATION 
Recommendation : 

The  definition  of  individually  identifiable  health  information  should  be  revised  to  include 
infonnation  created  or  received  by  a  researcher. 

Rationale: 

The  proposed  regulation  defines  individually  identifiable  health  information  to  include 
infonnation  that  is  "created  by  or  received  fi-om  a  health  care  provider,  health  plan,  employer,  or 
health  care  clearinghouse."  The  definition  notably  does  not  include  information  received  by  or 
from  a  researcher. 

The  definition  of  individually  identifiable  health  information  is  critical  because  the  definition  of 
"protected  health  information"  builds  on  this  definition.  Under  the  definition  in  the  proposed 
regulation,  information  received  by  a  covered  entity  from  a  researcher  would  not  be  subject  to 
the  regulations. 

Further,  in  so  far  as  this  definition  is  used  to  establish  continuity  between,  or  a  model  for, 
comprehensive  federal  legislation,  it  is  important  to  ensure  that  researchers  using  personally 
identifiable  health  infonnation  are  subject  to  federal  privacy  standards. 

7.  INDIVIDUAL  (RIGHTS  OF  MINORS:  GENERAL  COMMENTS) 
Recommendation: 

The  standard  included  in  the  proposed  regulation  should  be  preserved:  where  a  minor  lawfiilly 
obtains  health  care  services  on  his  or  her  own,  the  minor  should  exercise  rights  under  this  rule. 

Rationale: 

We  ^plaud  the  Secretary's  approach  in  section  164.504.  This  section  preserves  the  status  quo, 
acknowledges  the  important  role  that  parents  play  in  the  lives  of  their  children,  and  protects  the 
health  and  well-being  of  minors,  including  those  who  lawfiilly  obtain  health  care  on  their  own. 
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The  proposed  niJe  includes  the  following  in  the  definition  of  "individual": 

(ii)  With  respect  to  unemancipated  minors,  a  parent,  guardian,  or 
person  acting  in  loco  parentis,  provided  that  when  a  minor 
lawfully  obtains  a  health  care  service  without  the  consent  of  or 
notification  to  a  parent,  guardian,  or  other  person  acting  in  loco 
parentis,  the  minor  shall  have  the  exclusive  right  to  exercise  the 
rights  of  an  individual  under  this  subpart  with  respect  to  the 
protected  health  information  relating  to  such  care.  64  Fed.  Reg. 
60053. 

This  language  ^ropriately  and  wisely  perpetuates  the  status  quo.  Under  current  law  and 
practice,  parents  generally  consent  to  care  on  behalf  of  their  children  and  have  access  to  their 
medical  records  (at  least  when  anyone  has  access  to  those  records).  It  is  appropriate  in  such 
cases  for  parents  to  exercise  the  rights  created  by  this  rule.  But  in  situations  in  which  the  minor 
lawfully  obtains  health  care  without  the  involvement  of  a  parent,  information  about  those  health 
care  services  now  remains  confidential  and  is  not  shared  with  the  parent  without  the  minor's 
consent  It  is  appropriate  in  such  cases  for  the  minor  to  be  the  one  to  exercise  the  rights  under 
this  rule.  The  proposed  rule  thus  keeps  intact  the  delicate  balance  between  parents  and  minors 
that  exists  in  the  real  world  today. 

There  are  many  sources  of  law  under  which  minors  lawfully  obtain  health  care  services  on  their 
own.  The  U.S.  Constitution,  federal  statutes  and  regulations,  state  constimtions,  and  hundreds  of 
different  state  laws  protect  the  privacy  of  minors  by  guaranteeing  their  right  to  consent  to 
treatment  on  their  own  without  parental  notice  or  consent.  For  example,  many  states  have  case 
law  that  explicitly  giiarantees  "mature  minors"  the  right  to  consent  to  medical  care  generally. 
The  overwhelming  majority  of  states  have  statutes  that  allow  minors  to  consent  to  specific 
sensitive  services  such  as  prenatal  care,  family  planning  services,  testing  and  treatment  for 
sexually  transmitted  diseases,  mental  health  services,  and  treatment  for  alcohol  and/or  drug 
abuse.  Donovan,  P.,  Our  Daughters '  Decisions:  The  Conflict  in  State  Law  on  Abortion  and 
Other  Issues  (The  Alan  Guttmacher  Instimte,  1992).  Federal  Medicaid  law  and  Title  X  of  the 
federal  Public  Health  Service  Act  guarantee  that  eligible  minors  receive  confidential  family 
planning  sCTvices.  Moreover,  the  U.S.  Constimtion  puts  important  limits  on  the  ability  of  the 
federal  government  and  the  States  to  restrict  a  minor's  access  to  abortion  services.  While  more 
than  half  of  the  states  enforce  laws  requiring  parental,  judicial,  or  other  adult  involvement  in  a 
minor's  abortion  decision,  those  laws  must  satisfy  strict  constimtional  parameters.  Underlying 
much  of  this  extensive  body  of  law  is  the  recognition  that  confidentiality  is  often  the  key  to  a 
minor's  willingness  to  access  critically  important  health  care  services. 

This  proposed  rule  makes  the  correct  and  logical  link  between  access  to  health  care  services  and 
the  ri^t  to  control  access  to,  and  disclosure  of,  protected  health  information  relating  to  such 
care.  To  do  otherwise  would  undermine  the  minor's  right  to  obtain  the  care  on  his  or  her  own  in 
the  first  place.  Minors  will  not  seek  the  sensitive  health  care  services  they  need  if  they  fear 
subsequent  disclosure  of  that  information  to  their  parents  over  their  objection.  For  health  care 
services  to  be  truly  confidential,  information  relating  to  such  care  must  remain  confidential. 
This  proposed  rule  strikes  the  appropriate  balance.  It  respects  the  important  role  that  parents 
generally  play  in  obtaining  health  care  for  their  children,  while  at  the  same  time  recognizing  the 
need  to  let  minors  continue  to  control  their  own  protected  health  information  in  those  particular 
and  narrow  circvunstances  in  which  they  lawfully  obtain  care  on  their  own. 

We  have  included  additional  comments  with  regard  to  minors  below,  and  in  the  following 
sections  of  the  regulation:  Directory  Information,  Preemption,  and  Access  for  Inspection  and 
Copying. 

8.        EVDIVTDUAL  (CONCURRENT  RIGHTS  FOR  MINORS) 
Recommendation: 

1 .  Add  to  the  defimtion  of  "individual"  in  section  164.504  in  subpart  (ii)  the  following: 
(ii)  With  respect  to  unemancipated  minors,  a  parent,  guardian,  or  person  acting  in 
loco  parentis,  provided  tiiat  (A}  when  a  minor  lawfully  obtains  a  health  care 
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service  without  the  consent  of  or  notification  to  a  parent,  guardian,  or  other  person 
acting  in  loco  parentis,  the  minor  shall  have  the  exclusive  right  to  exercise  the 
rights  of  an  individual  under  this  subpart  with  respect  to  the  protected  health 
information  relating  to  such  care:  and  (B)  when  a  minor  attains  the  age  of  16,  the 
minor  shall  have  the  right  to  exercise  the  rights  of  an  individual  under  this  subpart 
concurrently  with  his  or  her  parent,  guardian,  or  other  person  acting  in  loco 
parentis  except  in  those  situations  where  the  minor  has  the  exclusive  right  to 
exercise  the  rights  of  the  individual  in  accordance  with  subpart  (A). 

Rationale: 

We  suggest  the  Secretary  add  a  provision  giving  minors  age  16  and  over  the  ability  to  exercise 
the  rights  under  the  rule  concurrently  with  their  parents.  This  would  apply  in  instances  where  the 
minor  does  not  already  exercise  these  rights  exclusively.  Certainly  by  age  16,  if  not  before,  most 
minors  are  capable  of  exercising  these  rights.  Allowing  minors  16  and  over  to  exercise  these 
rights  concurrently  will  not  undermine  the  rights  of  their  parents  or  interfere  with  parents'  ability 
to  remain  involved  in  health  care  treatment  decisions.  At  the  very  least,  the  Secretary  should 
create  a  process  whereby  a  parent,  guardian,  or  other  person  acting  in  loco  parentis  can  authorize 
his  or  her  minor  child  to  exercise  these  rights  in  whatever  circtmistances  and  at  whatever  age  the 
parent,  guardian,  or  other  person  acting  in  loco  parentis  deems  appropriate. 


9.  INDIVroUAL  (MINORS  WHO  BECOME  EMANCIPATED  OR  ATTAIN 
MAJORITY) 

Reconunendation : 

We  suggest  the  Secretary  clarify  the  proposed  rule's  application  to  situations  in  which  an  adult  or 
emancipated  minor  is  seeking  access  to  (or  is  being  asked  to  authorize  disclosure  of)  protected 
health  information  concerning  health  care  services  rendered  while  the  person  was  an 
unemancipated  minor. 

Rationale:  ... 
The  appropriate  policy  is  as  follows:  once  a  minor  becomes  emancipated  or  attains  majority,  as 
determined  by  appUcable  State  law,  the  minor  should  exercise  the  rights  of  an  individual  with 
respect  to  protected  health  information  relating  to  services  rendered  while  the  person  was  a 
minor.  We  do  not  believe  it  is  necessary  to  change  the  language  of  the  rule  itself  because  under 
the  existing  definition  of  "individual,"  nothing  appears  to  limit  the  ability  of  adults  to  obtain 
access  to  protected  health  information  relating  to  services  rendered  while  the  individual  was  a 
minor.  It  would  be  helpful,  however,  for  the  Secretary  to  state  this  interpretation  of  the  rule  in 
the  preamble. 

10.  TREATMENT  (DISEASE  MANAGEMENT) 
Recommendation : 

The  definition  of  "treatment"  should  be  amended  to  ensure  that  disease  management  programs 
are  only  conducted  with  the  authorization  of  the  treating  physician. 

Rationale: 

The  proposed  regulation  allows  for  the  fi-ee-flow  of  information  for  treatment,  payment  and 
health  care  operations,  without  authorization  fixjm  individual  patients.  Included  in  the  definition 
of  treatment  are  disease  management  programs,  which  vary  widely  in  practice.  Of  particular 
concern  are  disease  management  programs  conducted  by  employers  —  sometimes  for  very 
sensitive  conditions  —  without  the  consent  of  the  patient.  Some  patients  also  object  to  disease 
management  programs  because  they  involve  mailings  and  phone  calls  to  their  home  or  work. 

We  recommend  that  the  regulation  ensure  that  disease  management  programs  are  conducted  only 
with  the  authorization  of  the  treating  physician.  This  is  a  reasonable  safeguard  —  the  treating 
physician  will  be  able  to  help  judge  the  benefit  of  the  program  to  the  patient,  and  can  determine 
if  the  patient  has  any  privacy  considerations  in  tenns  of  how  the  program  will  be  implemented. 


117 


A  similar  approach  is  taken  in  California.  The  G>nfidentiality  of  Medical  Infonnation  Act 
provides  that  **For  purposes  of  chronic  disease  management  programs,  information  may  be 
disclosed  to  any  entity  contracting  with  a  health  care  service  plan  to  monitor  or  administer  care 
of  enroUees  fw  a  covered  benefit,  provided  that  the  disease  management  services  and  care  are 
authorized  by  a  treating  physician"  Cal.  Civil  Code  Section  56.10  (cXlT)  as  added  by  1999 
Cal.  Stats,  ch.  526,  sec.  2  (emphasis  added). 

The  new  definition  of  "treatment"  should  read: 

Treatment  means  the  provision  of  health  care  by,  or  the  coordination  of  health  care 
(including  health  care  management  of  the  individual  through  risk  assessment,  case 
management,  and  disease  management,  where  authorized  by  the  treating  physician) 
among,  health  care  providers. . . 

These  comments  on  "Definitions"  have  been  endorsed  by  die  following  organizations: 

Amencan  Association  of  People  with  Disabilities 
Association  of  Women's  HealA,  Obstetric  and  Neonatal  Nurses 
Bazelon  Center  for  Mental  Health  Law 

Center  for  Reproductive  Law  and  Policy  ^        . .  .  ,  . 

Committee  for  Children 

Consortium  for  Citizens  with  Disabilities  Privacy  Working  Groiq) 
Families  USA 

Federation  of  Families  for  Children's  Mental  Health  (excqit  Concurrent  Rights  for  Minors'*) 
Human  Rights  Campaign 
Justice  for  All 

Myositis  Association  of  America 
National  Association  of  People  With  AIDS 
National  Organization  for  Rare  Disorders 
National  Partnership  for  Women  and  Families 
Privacy  Ri^ts  Qearingfaouse 
Women's  Law  Project 
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TREATMENT,  PAYMENT  AND  HEALTH  CARE  OPERATIONS 
Section  164^06       Uses  and  disclosures  of  protected  health  information:  general  mies. 
SUMMARY 

We  strongly  disagree  with  the  proposed  regulatory  framework  concerning  the  use  and  disclosure 
of  protected  health  information  for  treatment,  payment  and  health  care  operations.  Overall,  this 
approach  allows  the  total  free-flow  of  information  for  these  purposes  without  any  input  from  the 
individual  and  without  any  mechanism  for  the  individual's  being  able  to  verify  that  the 
information  is  being  used  and  disclosed  for  the  proper  reasons.  In  essence,  the  individual  is 
totally  cut  out  from  the  entire  process.  Although  we  agree  that  the  general  regulatory  framework 
should  make  health  information  relatively  easy  to  use  for  health-related  purposes,  we  believe  that 
this  can  be  accomplished  without  totally  sacrificing  the  individual's  participation  in  the  process. 
We  believe  the  individual  should  have  more  control  over  and  be  more  involved  in  determining 
how  protected  health  information  is  used  and  disclosed.  In  order  to  accomplish  this  goal,  we 
suggest  that  the  regulatory  scheme  for  treatment,  payment,  and  health  care  operations  be 
substantially  revised.  Furthermore,  we  encourage  the  adoption  of  some  mechanisms  for  assuring 
that  the  easy  access  to  protected  health  information  for  treatment,  payment  and  health  care 
operations  does  not  lead  to  an  abuse  of  privacy  protections.  We  specifically  request  that  the 
following  changes  be  made. 

1 .  The  regulations  should  require  authorization  from  the  individual  for  the  use  and 
disclosure  of  information  for  treatment,  payment  and  health  care  operations,  which 
should  be  renewed  at  least  once  every  three  years  or  whenever  the  patient  changes 
insurance  companies,  whichever  occurs  first. 

2.  The  final  regulations,  at  a  minimum,  should  allow  entities  to  have  the  option  to  require 
patient  authorization  for  treatment,  payment  and  health  care  operations. 

3.  The  terms  "treatment"  and  "payment"  should  be  narrowly  interpreted  as  applying  to  the 
individxial  who  is  the  subject  of  the  information. 

4.  The  definition  of  "treatment"  should  be  amended  to  ensure  that  disease  management 
programs  are  only  conducted  with  the  authorization  of  the  treating  physician. 

5.  The  regulation  should  expressly  state  that  the  term  "health  care  operations"  includes  only 
disclosures  made  to  the  covered  entity  (or  a  business  partner  of  such  entity)  on  whose 
behalf  the  operation  is  being  performed. 

6.  The  regulations  should  limit  the  definition  of  health  care  operations  to  include  only  those 
operations  that  caimot  be  carried  on  with  reasonable  effectiveness  and  efficiency  without 
protected  health  information. 

7.  Health  care  providers  should  be  subject  to  the  verification  requirements  of  section 
164.518(c)  when  the  request  for  information  for  treatment  purposes  originates  outside  of 
the  covered  entity. 

8.  We  strongly  commend  the  Administration  for  limiting  access  to  psychotherapy  notes, 
absent  specific  consent  from  the  individual.  However,  additional  protections  are  critical 
for  ensuring  the  level  of  privacy  essential  for  effective  mental  health  care. 

9.  The  limitations  on  disclosure  of  psychotherapy  notes  should  extend  ±roughout  the 
regulation.  In  particular,  there  should  be  a  prohibition  on  disclosure  of  psychotherapy 
notes  for  the  activities  addressed  in  section  164.510. 

10.  We  also  call  to  your  attention  the  need  for  a  requirement  applying  to  these  sections  which 
requires  that  any  disclosures  be  consistent  witii  the  psychotherapist-patient  privilege.  Nor 
should  the  regulations  modify  "duty  to  warn"  case  law  or  statutes. 
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1.  EVrriAL  AUTHORIZATIONS  FOR  TREATMENT,  PAYMENT  AND  HEALTH 
CARE  OPERATIONS  PURPOSES 

Recommendation: 

The  regulations  should  require  authorization  firom  the  individual  for  the  use  and  disclosxire  of 
information  for  treatmait,  payment  and  health  care  operations,  which  should  be  renewed  at  least 
once  every  three  years  or  whenever  the  patient  changes  insurance  companies,  whichever  occurs 
first 

Rationale: 

We  disagree  with  tfie  Secretary's  basic  premise  that  requiring  patient  authorization  for  treatment, 
payment  and  health  care  operations  is  a  meaningless  enterprise.  This  issue  was  addressed  at 
length  by  the  Health  Privacy  Working  Group,  a  panel  comprised  of  diverse  stakeholders 
including:  disability  and  mental  health  advocates;  health  plans;  providers;  employers;  standards 
and  accreditation  representatives;  and  experts  in  public  health,  medical  ethics,  information 
systems  and  health  policy.  Best  Principles  for  Health  Privacy,  a  Repori  of  the  Health  Privacy 
Working  Group  (July  1999).  This  diverse  group  noted  that  as  a  general  rule,  requiring  patient 
authorization  prior  to  disclosxire  can: 

♦  bolster  patient  trust  in  providers  and  health  care  organizations  by  acknowledging 
the  patient's  role  in  health  care  decisions; 

♦  serve  as  recognition  that  notice  was  given  and  the  patient  was  aware  of  the  risks 
and  benefits  of  disclostue;  and 

♦  define  an  "initial  moment"  in  which  patients  can  raise  questions  about  privacy 
concerns  and  leara  more  about  options  available  to  them. 

We  find  the  Secretary's  current  position  regarding  authorization  for  treatment,  payment,  and 
health  care  operations  to  be  particularly  objectionable  because  it  runs  counter  to  other  efforts  to 
make  our  health  care  system  function  properly.  In  a  world  of  managed  care,  the  Administration 
and  many  health  and  consumer  interests  have  been  dedicated  to  shifting  popular  culture  to 
embrace  the  concept  of  the  "empowered  patient."  Many  observers  beUeve  that  the  best  way  to 
make  managed  care  work  is  for  patients  to  become  self-advocates  and  active  in  working  the 
system  so  they  get  the  care  they  need.  Dismantling  the  current  authorization  system  runs  counter 
to  this  approach.  The  Administration's  approach  disempowers  patients  by  taking  away  their 
ability  to  actively  control  access  to  their  own  protected  health  information. 

Patients  should  be  encouraged  to  be  active  participants  in  their  own  health  care  —  and  the 
authorization  process  should  be  an  integral  piece  of  that  picture.  The  authorization  should  be 
renewed  at  least  once  every  three  years,  or  when  the  patient  changes  insiuance  companies, 
whichever  occurs  first  Since  entities  are  already  required  to  provide  notice  to  patients  every 
three  years,  there  would  little  additional  administrative  burden.  For  covered  entities  that  are 
health  plans,  authorization  can  be  obtained  through  the  employer  or  through  the  insurance 
company. 

Under  this  model,  it  may  be  necessary  to  allow  covered  entities  to  refuse  enrollment  or  services 
if  the  patient  refiises  to  sign  the  authorization.  This  would  be  acceptable  if  the  other  changes 
suggested  in  our  comments  were  included  —  such  as  a  genuine  right  to  restrict  disclosures  and 
heightened  protections  for  sensitive  information. 

Again,  we  urge  the  Secretary  to  add  an  authorization  requirement  for  treatment,  payment  and 
health  care  operations. 

2.  PROHJBmON  ON  SEEKING  AUTHORIZATION  FOR  USES  AND 
DISCLOSURES  FOR  TREATMENT,  PAYMENT  AND  HEALTH  CARE 
OPERATIONS 

Recommendation: 

Again,  we  prefer  that  the  regulations  include  an  authorization  requirement  for  treatment. 
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payment  and  health  care  operations.  If  the  regulations  do  not  include  this  requirement,  we 
suggest  that  the  final  regulations,  at  a  minimum,  allow  entities  to  have  the  option  to  require 
patiCTt  authorization  for  treatmoit,  payment  and  health  care  operations. 

Rationale: 

Under  proposed  section  i64.508(a)(2)(iv)  a  covered  entity  is  prohibited  from  requiring  an 
individual  to  sign  an  authorization  for  use  or  disclosure  of  protected  health  information  for 
treatment,  payment,  or  health  care  operations  purposes.  The  explanation  of  this  provision  also 
indicates  a  broader  intent  to  prohibit  covered  entities  from  "seeking  individual  authorization"  for 
these  listed  purposes.  64  Fed.  Reg.  59941  (Nov.  3, 1999).  Given  this  expansive  language, 
section  164.508  may  be  construed  in  an  unduly  broad  fashion.  We  are  concerned  that: 

♦  A  general  prohibition  on  health  care  providers  from  "seeking  individual 
authorization"  may  deter  health  care  providers  from  initiating  discussions  with 
patients  concerning  their  rights  under  section  1 64.506(c)  to  request  restrictions 
on  the  uses  or  disclosures  of  protected  health  information  for  treatment, 
payment  or  health  care  purposes;  and 

♦  Health  care  organizations  have  a  legitimate  interest  in  collecting  patient 
authorizations  and  should  be  pennitted  to  require  patient  authorization  for 
treatment,  payment  and  health  care  operations. 

Today,  health  care  providers  routinely  require  patient  authorizations  prior  to  disclosing  protected 
health  information  for  many  purposes.  For  example,  patient  authorizations  are  used  as  a 
mechanism  for  determining  what  health  information  to  release  for  purposes  of  second  opinions, 
consultations,  and  referrals.  Under  current  procedure,  a  patient,  usually  in  consultation  with  a 
health  care  provider,  will  complete  a  form  authorizing  the  disclosure  of  his  or  her  health 
information  to  another  health  care  provider  for  second  opinions,  referrals  and  consultations.  In 
the  forai,  the  patient  usually  designates  both  the  type  and  scope  of  the  information  to  be 
disclosed  and  to  whom  the  information  is  to  be  disclosed.  These  authorizations  provide 
meaningful  guidance  to  the  initial  provider  in  determining  what  records  to  release.  The  provider 
may  also  retain  a  copy  of  the  authorization  in  case  of  a  legal  dispute. 

Furthermore,  such  authorizations  provide  the  patient  with  some  degree  of  control  over  what 
information  is  disclosed  and  to  whom  it  is  released.  Ultimately,  it  may  help  the  patient  to 
determine  who  is  in  possession  of  his  or  her  medical  records. 

We  suggest  that  the  explanation  of  section  164.508  be  revised  to  clarify  that  a  covered  entity 
may  require  an  individual  authorization  to  restrict  the  use  or  disclosure  of  health  information  for 
the  purposes  of  treatment,  payment  and  health  care  operations. 

3.        SCOPE  OF  "TREATMENT  AND  PAYMENT' 
Recommendation: 

The  terms  "treatment"  and  "payment"  should  be  narrowly  construed  as  encompassing  only  the 
treatment  and  payment  related  to  the  individual  who  is  the  subject  of  the  information. 

Rationale: 

Draft  section  164.506  would  allow  covered  entities  to  use  and  disclose  protected  information 
without  an  individual's  authorization  for  the  purposes  of  treatment  and  payment  The  Secretary 
intends  that  this  provision  be  interpreted  "to  apply  for  treatment  and  payment  of  all  individuals." 
One  of  the  Secretary's  justifications  for  this  broad  interpretation  is  that  treatment  and  payment 
are  core  fimctions  of  the  health  care  system  and  that  "[t]his  is  what  individuals  expect  their 
health  information  will  be  used  for  when  they  seek  medical  care." 

To  the  contrary,  individuals  seeking  medical  care  expect  that  their  health  information  will  be 
used  for  their  own  treatment  and  payment  Many  people  would  be  mortified  to  learn  that  their 
health  information  was  being  reviewed  for  the  treatment  of  others  —  particularly  people  they 
know.  We  find  particularly  disturbing  the  Secretary's  examples  of  permissible  uses  without  the 
individual's  consent,  such  as  the  review  of  the  records  of  family  members  or  house  mates.  When 
a  physician  is  examining  the  information  of  a  small  group  of  individuals  known  to  the  patient, 
such  as  femily  members  or  house  mates,  the  risk  of  inadvertent  disclosure  of  identifiable  data  to 
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the  patient  is  not  insignificant.  When  dealing  with  such  a  small  group,  patients  easily  would  be 
able  to  surmise  the  identity  of  those  whose  information  has  been  reviewed,  as  well  as  their  health 
status.  Individuals  should  have  the  ability  to  decide  whether  they  want  to  accept  the  lisk  of 
disclosure  by  allowing  their  medical  infomiation  to  be  used  for  the  treatment  of  someone  they 
know. 

We  recognize  there  may  be  legitimate  circumstances  where  a  provider  may  want  to  review  the 
health  information  of  the  patient  of  another  provider.  We  believe  these  circumstance  would  be 
limited,  however,  and  that  it  would  not  pose  a  substantial  burden  on  providers  to  request 
authorization  for  these  purposes.  We  encourage  the  Secretary  to  construe  "treatment"  and 
"payment"  in  a  narrow  manner  as  applying  to  the  treatment  and  payment  of  the  individual  who  is 
the  subject  of  the  health  information.  Uses  and  disclosures  for  the  treatment  and  payment  of 
others  should  be  permitted  only  with  the  authorization  of  the  individual. 

This  suggested  approach  of  construing  "treatment"  and  "payment"  in  a  limited  fashion  is 
endorsed  by  many  states  that  generally  prohibit  disclosures  without  the  patient's  authorization 
but  make  an  exception  for  disclosures  to  providers  who  are  treating  the  patient  who  is  the  subject 
of  the  protected  health  information.  See  e.g.,  Ariz.  Rev.  Stat.  sec.  12-2294  (allowing  the 
disclosure  of  a  patient's  medical  records  without  a  signed  authorization  to  attending  and 
consulting  health  care  providers  who  are  currently  providing  health  care  to  the  patient  for  the 
purpose  of  diagnosis  or  treatment  of  the  patient)  (emphasis  added);  Md.  Code  Ann.  Health-Gen. 
sec.  4-303  (  allowing  disclosures  to  another  health  care  provider  for  the  sole  purpose  of  treating 
the  patient  or  recipient  on  whom  the  medical  record  is  kept);  Fla.  Stat  Aim.  sec.  455.667 
(prohibiting  the  disclosure  of  medical  records  to  anyone  other  than  the  patient,  his  representative, 
or  other  health  care  practitioners  and  providers  involved  in  the  care  or  treatment  of  the  patient 
except  upon  written  authorization  of  the  patient)  (emphasis  added);  Cal.  Health  &  Safety  Code 
sec.  56.  IO(cXl )  (permitting  medical  information  to  be  disclosed  to  other  providers  of  health  care 
"for  purposes  of  diagnosis  or  treatment  of  the  patient ")  (emphasis  added).  We  note  that  even  the 
examples  cited  by  the  Secretary  in  her  explanation  permit  disclosures  only  to  providers  "treating 
the  individuoT  or  to  "a  person  who  is  providing  health-care  to  the  patient.'"  64  Fed.  Reg.  59941 
(Nov.  3,  1999). 

We  urge  the  Secretary  to  adopt  this  approach  and  to  construe  "treatment"  and  "payment"  as 
applying  to  the  treatment  and  payment  of  the  individual  who  is  the  subject  of  the  health 
information. 


4.  TREATMENT  (DISEASE  MANAGEME^^T) 
Recommendatioii: 

The  definition  of  "treatment"  should  be  amended  to  ensure  that  disease  management  programs 
are  only  conducted  with  the  authorization  of  the  treating  physician. 

Rationale: 

The  proposed  regulation  allows  for  the  free-flow  of  information  for  treatment,  payment  and 
health  care  operations,  without  authorization  from  individual  patients.  Included  in  the  definition 
of  treatment  are  disease  management  programs,  which  vary  widely  in  practice.  Of  particular 
concern  are  disease  management  programs  conducted  by  employers  —  sometimes  for  very 
sensitive  conditions  —  without  the  consent  of  the  patient.  Some  patients  also  object  to  disease 
management  programs  because  they  involve  mailings  and  phone  calls  to  their  home  or  work. 

We  reconmiend  that  the  regulation  ensure  that  disease  management  programs  are  conducted  only 
with  the  authorization  of  the  treating  physician.  This  is  a  reasonable  safeguard  —  the  treating 
physician  will  be  able  to  help  judge  the  benefit  of  the  program  to  the  patient,  and  can  determine 
if  die  patient  has  any  privacy  considerations  in  terms  of  how  the  program  will  be  implemented. 

A  similar  approach  is  taken  in  California.  The  Confidentiality  of  Medical  Information  Act 
provides  that  "For  purposes  of  chronic  disease  management  programs,  information  may  be 
disclosed  to  any  entity  contracting  with  a  health  care  service  plan  to  monitor  or  administer  care 
of  enroUees  for  a  covered  benefit,  provided  that  the  disease  management  services  and  care  are 
authorized  by  a  treating  physician."  Cal.  Civil  Code  Section  56.10  (c)(l7)  as  added  by  1999  Cal. 
Stats,  chap.  526,  sec.  2. 
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The  new  definition  of  "treatment"  should  read: 

Treatment  means  the  provision  of  health  care  by,  or  the  coordination  of  health 
care  (including  health  care  management  of  the  individual  through  risk  assessment, 
case  management,  and  disease  management,  where  authorized  bv  the  treating 
physician)  among,  health  care  providers;....  etc. 

This  recommendation  is  also  included  in  oiu-  comments  under  "Definitions." 


5.  HEALTH  CARE  OPERATIONS:  DISCLOSURES 

We  support  the  Secretary's  specifically  identifying  the  activities  that  constitute  health  care 
operations.  This  approach  gives  covered  entities  fairly  clear  guidance  on  when  an  authorization 
is  required  prior  to  disclosure.  We  suggest,  however,  that  the  following  change  be  made. 

Recommendation: 

The  regulation  should  expressly  provide  that  disclosures  permitted  for  the  purposes  of  "health 
care  operations"  include  only  disclosures  made  to  the  covered  entity  (or  a  business  partner  of 
such  entity)  on  whose  behalf  the  operation  is  being  performed. 

Rationale: 

We  believe  that  the  regulations  should  expressly  provide  that  information  disclosed  for  health 
care  operations  must  remain  within  the  covered  entity. 

The  Secretary's  explanation  of  the  term  "health  care  operations"  indicates  that  "a  health  care 
operation  should  not  result  in  protected  health  information  being  disclosed  to  an  entity  that  is  not 
the  covered  entity  (or  a  business  partner  of  such  entity)  on  whose  behalf  the  operation  is  being 
performed."  This  limitation  is  appropriate  and  should  be  expressly  incorporated  in  the 
regulations.  We  believe  it  is  necessary  to  expressly  limit  the  disclosure  to  the  entity  on  whose 
behalf  the  operation  is  being  performed  given  the  general  fi-ee-flow  approach  the  regulations 
have  taken  towards  the  exchange  of  health  information  for  treatment,  payment  and  health  care 
operations  purposes. 

6.  HEALTH  CARE  OPERATIONS:  DE-IDENTIFIED  INFORMATION 
Recommendation : 

The  regulations  should  limit  die  permitted  use  and  disclosure  of  protected  health  infomiation  for 
the  purposes  of  health  care  operations  exclusively  to  those  operations  that  cannot  be  carried  on 
with  reasonable  effectiveness  and  efficiency  without  protected  health  information. 

Rationale: 

Utilizing  protected  health  information  for  health  care  operations  may  unnecessarily  increase  the 
risk  of  improper  disclosure.  See  e.g..  Doe  v.  Group  Health  Cooperative  of  Puget  Sound  85 
Wash.  App.  213,  932  P.2d  178  (Wash.  Ct.  of  Appeals,  Div.  1,  1997)  (where  a  health  care 
provider  used  the  names  of  patients,  including  that  of  one  of  its  own  employees,  to  illustrate  a 
training  exercise  on  how  to  process  mental  health  claims).  Many  of  the  activities  conducted 
under  the  aegis  of  health  care  operations  can  be  carried  out  with  information  that  does  not 
identify  individual  patients.  We  believe  this  is  an  area  where  the  regulations  can  effectively 
encourage  the  use  of  de-identified  information. 

Hawaii  has  taken  such  an  approach  in  its  recently  enacted  Privacy  of  Health  Care  Information 
Act,  Haw.  Rev.  Stat.  Sec.  323C-1  et  seq.  (effective  July  1, 2000).  Hawaii  allows  covered  entities 
to  use  or  disclose  protected  health  information  for  "qualified  health  care  operations,"  which,  like 
the  proposed  federal  regulations,  includes  those  actiWties  conducted  by  or  on  behalf  of  a  health 
plan  or  provider  for  the  purpose  of  carrying  out  management  functions  or  implementing  the 
terms  of  a  contract  for  health  plan  benefits.  See  Haw.  Rev.  Stat.  Sees.  323C-21(b)  and  323C-1 
(defining  "qualified  health  care  operations"). 
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Hawaii,  however,  includes  a  series  of  additional  restrictions  which  encourage  the  use  of  de- 
identified  infonnation.  Two  of  these  restrictions  should  be  incorporated  into  the  federal 
regulations.  The  federal  regulations  should  limit  the  uses  and  disclosures  of  protected  health 
information  for  the  purposes  of  health  care  operations  to  those  operations  that: 

♦  cannot  be  carried  on  with  reasonable  effectiveness  and  efficiency  without  identifiable 
patient  information;  and 

♦  utilize  only  that  protected  health  information  collected  under  the  terms  of  the  contract 
for  health  plan  benefits  and  without  which  the  operation  cannot  be  carried  on  with 
reasonable  effectiveness  and  efficiency. 

See,  e.g..  Haw.  Rev.  StaL  Sec.  323C-1. 

(We  note  that,  rather  than  changing  the  general  rules  of  how  protected  health  information  can  be 
utilized  contained  in  section  164.506,  a  similar  result  can  be  achieved  by  altering  the  definitica 
of  health  care  operations.  Sec  our  recommendation  in  "Definitions.") 

We  believe  that  this  approach  is  consistent  with  the  Secretary's  general  encouragement  of  the  use 
of  de-identified  health  information.  We  strongly  encourage  the  adoption  of  such  limitations  on 
the  use  of  protected  health  information  for  health  care  purposes  in  the  federal  regulations. 

7.       VERIFICATION  OF  IDENTITY  OF  REQUESTERS  OF  INFORMATION 

While  we  prefer  that  issues  of  verification  be  addressed  through  an  authorization  process  that 
involves  the  patient,  we  endorse  section  164.5 18(c)'s  general  requirements  that  covered  entities 
have  procedures  for  verifying  the  identity  of  the  requester  of  protected  health  information.  We 
beUcve  that  section  164.506  should  incorporate  this  requirement 

Recommendation : 

Section  164.506  should  have  a  provision  expressly  requiring  covered  entities  to  comply  with  the 
applicable  verification  requirements  under  section  1 64.5 1 8(c). 

Rationak: 

Under  proposed  section  164.506,  it  appears  that  providers  are  permitted  to  disclose  protected 
health  information  to  other  providers  for  consultation  or  referral  without  verifying  the  identity  of 
the  provider  who  has  requested  protected  information.  Because  providers  who  disclose  to  other 
providers  for  consultation  or  referral  purposes  are  not  subject  to  the  business  partner  rules  in 
section  164.506(e)  and  covered  entities  are  prohibited  torn  obtaining  individual  authorizations 
under  section  164.506  (see  p.  59941),  providers  are  given  blanket  authority  to  disclose  protected 
health  information  for  treatment,  payment  and  health  care  operations  about  a  patient  without 
knowing  whether  the  person  who  has  requested  the  information  is  actually  (1)  a  provider  and  (2) 
treating  that  particular  patient  or  has  another  valid  reason  for  requesting  the  patient's  records. 
We  recommend  that  the  verification  procedures  set  forth  in  section  164.518(c)  apply  to  uses  and 
disclosures  for  treatment,  payment  and  health  care  operations. 

Section  164.518(c)  genen  .ly  requires  covered  entities  to  have  adequate  procedures  for  verifying 
that  the  individual  or  person  making  the  request  for  protected  health  information  has  the 
appropriate  identity  for  the  use  or  disclosure  requested,  except  in  specified  circumstances.  The 
Secretary's  explanation  of  the  regulation  indicates  that  for  most  categories  of  permitted 
disclosures,  when  the  request  for  disclosure  of  protected  health  information  is  from  a  person  with 
whom  the  covered  entity  does  not  routinely  do  business,  the  covered  entity  would  be  required  to 
verify  the  identity  of  the  requestor.  It  is  clear  from  the  language  of  section  164.518(c)  and  the 
Secretary's  explanation  of  this  provision  that  the  verification  procedure  was  intended  to  apply  to 
section  164.5 10  requests  (made  pursuant  to  the  "public  policy"  uses  and  disclosures  permitted 
without  individual  authorization).  Furthermore,  section  164.510(a)(1)  itself  expressly 
incorporates  this  verification  requirement  and  requires  covered  entities  to  comply  with  any 
applicable  verification  requirements  under  section  164.518(c)  as  a  condition  of  using  or 
disclosing  protected  health  information  without  the  individual's  authorization. 
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In  contrast,  it  is  unclear  whether  these  verification  procedures  apply  to  section  164.506  requests 
(made  pursuant  to  the  provisions  allowing  use  and  disclosure  for  treatment,  payment  and  health 
care  operations  without  individual  authorization),  even  where  the  request  for  information 
originates  fi-om  an  unfamiliar  source  outside  the  covered  entity.  The  language  of  section 
164.518(c)  is  general  and  somewhat  ambiguous.  The  Secretary's  explanation  of  section 
164.518(c),  while  general  enough  to  encompass  section  164.506  uses  and  disclosures,  does  not 
directly  address  uses  and  disclosures  for  treatment,  payment  and  health  care  operations. 
Furthermore,  unlike  section  164.510,  section  164.506  does  not  expressly  incorporate  the 
verification  requirements  under  section  164.518.  Consequently,  it  is  at  least  arguable  that  the 
regulations  do  not  impose  the  164.518  verification  requirements  on  164.506  disclosures  even 
when  the  request  originates  fix>m  an  unfamiliar  source  outside  the  covered  entity. 

Although  the  rules  in  section  164.506(e)  would  afford  some  protection  for  disclosures  to 
business  partners  by  requiring  contracts  that  ensure  that  the  business  partner  will  safeguard 
information  that  it  receives,  these  rules  expressly  exclude  disclosures  from  provider  to  provider 
for  consultation  or  referral  purposes.  In  siun,  there  appear  to  be  no  verification  rules  or  other 
checks  on  provider-to-provider  disclosures  under  section  164.506. 

Presumably,  the  Secretary  considers  provider-to-provider  uses  and  disclosures  for  consultation  or 
referral  to  pose  less  of  a  risk  of  unwarranted  disclosure  than  other  uses  and  disclosures.  We 
believe,  however,  that  provider-to-provider  disclosures  for  consultation  and  referral  can  pose  a 
significant  risk  of  unwarranted  disclosure.  Consider  this  scenario:  a  woman  seeks  specialized 
treatment  for  reproductive  health  services,  or  mental  health  services.  If  another  provider  requests 
information,  the  provider  who  rendered  the  services  would  not  have  to  consult  the  patient  before 
the  disclosure  or  even  verify  who  has  requested  the  information.  Of  particular  concern  is  that 
this  loophole  would  be  used  by  people  who  are  not  providers  to  obtain  information  under  false 
pretenses  on  patients. 

While  many  providers  may  argue  that  the  requirements  of  164.518(c)  create  additional 
administrative  burdens,  we  believe  that  these  verification  procedures  are  reasonable,  and  the  only 
situation  in  which  providers  would  have  additional  administrative  burdens  is  when  the  identity  of 
the  provider  requesting  the  information  is  unknown-where  the  risk  of  inappropriate  disclosure  is 
the  greatest.  Those  providers  that  have  ongoing  relationships  would  obviously  know  the 
requestor  and  not  be  required  to  conduct  additional  verification. 

We  recommend  that  the  Secretary  add  to  164.506(a)  as  follows: 

(a)  Standard.  A  covered  entity  may  not  use  or  disclose  an  individual's 
protected  health  information,  except  as  otherwise  permitted  or  required  by  this 
part  or  as  required  to  comply  with  ^plicable  requirements  of  this  subchapter.  In 
using  or  disclosing  protected  health  information  under  this  section  a  covered 
entity  must  complv  with  applicable  verification  requirements  under  section 
164.518(c). 

8.       EXCEPTION  FOR  PSYCHOTHERAPY  NOTES 

Wc  conmiend  the  Secretary  for  accepting  in  principle  the  need  to  limit  access  to  psychotherapy 
notes,  absent  specific  consent  fit)m  the  individual.  However,  without  additional  protections  this 
provision  at  best  provides  only  very  limited  privacy  protection. 

Recommendation : 

The  rule  should  make  clear  that  it  is  the  information  that  is  being  protected,  not  just  the  specific 
"notes"  themselves. 

Rationale: 

The  protection  for  notes  will  not  be  meaningfiil  if  the  same  information  can  be  demanded  in  a 
different  format.  We  are  also  concerned  by  the  likely  expansive  interpretation  of  the  notes' 
definition  which  might  allow  plans  and  others  to  require  the  release  of  verbatim  notes.  For  this 
reason  we  believe  that  the  explanatory  text  should  specify  that  demands  for  verbatim  notes  are 
not  permitted  and  that  the  amount  of  information  that  is  excluded  from  the  patient  consent 
requirement  narrowed  dramatically. 
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9.  EXCEPTION  FOR  PSYCHOTHERAPY  NOTES:  SECTION  164.510 
DISCLOSURES 

Recommendation: 

The  limitatioiis  on  disclosure  of  psychotherapy  notes  should  extend  throughout  the  regulation.  In 
particular,  there  should  be  a  prohibition  on  disclosure  of  psychotherapy  notes  for  the  activities 
addressed  in  section  164.510. 

Rationale: 

The  proposed  regulation  only  affords  heightened  protections  for  purposes  of  treatment,  payment, 
and  health  care  operations.  In  all  other  circumstances,  the  notes  may  be  used  or  disclosed  in  the 
same  manner  as  all  protected  health  information.  Under  the  proposed  regulation,  for  example, 
the  notes  may  be  used  or  disclosed  for  pubhc  health  reporting,  to  next  of  kin,  for  directory 
information,  and  to  law  enforcement 

There  is  no  good  rationale  for  psychotherapy  notes  to  be  shared,  unless  the  individual  has 
authorized  the  use  or  disclosure.  Psychotherapy  notes  include  extremely  sensitive  infomiation, 
and  if  individuals  are  aware  that  such  information  can  be  shared  so  widely,  it  will  likely  destroy 
the  therapeutic  relationship. 

10.  EXCEPTION  FOR  PSYCHOTHERAPY  NOTES:  INTERACTION  WITH 
COMMON  LAW 

We  also  call  to  your  attention  the  need  for  a  provision  which  requires  section  164.510  disclosures 
be  consistent  with  the  psychotherapist-patient  privilege  first  established  by  Jaffe  v.  Redmond. 
Nor  should  the  regulations  modiiy  "duty  to  warn"  case  law  or  statutes  which,  under  certain 
circimistances,  require  the  disclosure  of  medical  information  when  a  specific  threat  has  been 
made  to  a  person's  safety. 


These  comments  on  'Treatment,  Payment  and  Health  Care  Operations"  have  been  endorsed  by 
the  following: 

American  Association  of  People  with  DisabiUties 
American  Psychoanalytic  Association 

Association  of  Women's  Health,  Obstetric  and  Neonatal  Nurses 
Bazelon  Center  for  Mental  Health  Law 
Conunittee  for  Children 

Consortium  for  Citizens  with  Disabilities  Privacy  Woiking  Gtonp 
Families  USA 

Federation  of  Families  for  Children's  Mental  Health 
Human  Rights  Campaign 
Justice  for  All 

Myositis  Association  of  America 
National  Association  of  People  With  AIDS 
National  Organization  for  Rare  Disorders 
National  Partnership  for  Women  and  Fanuhes 
Privacy  Rights  Clearinghouse 
Women's  Law  Project 
Kathleen  Mogul,  MD 
Sharyn  F.  Barson,  MSS,  ACSW,  LCSW 
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IVONIMUM  NECESSARY 

Sectioa  164306(bXl)Standard:  minimum  necessary. 

SUMMARY 

We  support  the  general  rule  in  the  proposed  regulation  that  organizations  **must  make  all 
reasonable  efforts  not  to  use  or  disclose  more  than  the  minimum  amount  of  protected  health 
information  necessary  to  accomplish  the  intended  purpose  of  the  use  or  disclosure."  We  are 
particularly  pleased  that  the  minimization  requirement  extends  to  treatment,  payment,  and  health 
care  operations. 

This  rule  does  not  ^ply  in  the  following  circumstances: 

♦  When  the  individual  requests  that  a  disclosure  be  made  to  a  third  party 

♦  When  the  individual  requests  access  to  his  or  her  own  health  information 

♦  For  enforcement  of  the  rule 

♦  Made  by  a  covered  health  care  provider  to  a  covered  health  plan  for  audit  and 
related  purposes 

♦  When  required  by  law  and  permitted  in  section  1 64.5 1 0 

We  believe  that  the  only  appropriate  exception  to  the  minimization  requirement  is  when  an 
individual  requests  access  to  his  or  her  own  information.  In  all  other  circumstances,  the 
minimization  requirement  should  apply  for  all  uses  and  disclosures. 

We  recognize,  however,  that  because  the  proposed  rule  only  covers  certain  entities,  it  may  not 
always  be  possible  for  the  covered  entity  to  make  a  determination  as  to  what  information  is 
necessa^  to  accomphsh  the  purpose  of  the  disclosure.  In  some  circumstances  —  such  as  health 
care  oversight  —  there  may  even  be  a  conflict  of  interest  in  disclosing  the  data. 

The  proposed  rule  r^olves  this  tension  by  exempting  certain  activities  from  the  minimization 
requirement  These  exceptions,  however,  are  particularly  broad,  particularly  with  regard  to 
disclosures  allowable  under  section  164.510.  In  practice,  it  would  mean  that  a  large  number  of 
uses  and  disclosures  would  not  be  subject  to  the  minimization  requirement.  These  activities 
include  health  oversight,  law  enforcement,  directory  information,  judicial  and  administrative 
proceedings,  research,  next-of-kin,  and  many  others. 

Our  comments  identify  those  areas  where  we  feel  that  the  minimization  requirement  is 
appropriate  and  should  be  applied  in  the  context  of  the  proposed  regulation.  We  still  believe, 
however,  that  a  universal  minimization  requirement  is  essential,  and  should  be  enforced  through 
a  comprehensive  federal  health  privacy  law. 

Finally,  our  comments  identify  circumstances  where  we  believe  that  the  entity  requesting 
information  should  be  held  to  a  minimization  standard.  In  these  cases,  the  disclosing  entity 
could  rely  on  the  decision  of  the  requesting  entity,  without  losing  accountability. 

Note:  The  proposed  rule  establishes  the  general  minimization  requirement  in  section 

164.506(bXl)  and  includes  a  list  of  exceptions.  In  our  comments  we  do  not  suggest 
amending  this  section,  but  adding  additional  requirements  to  the  individual  sections 
included  as  exceptions  to  the  minimization  requirement  However,  the  same  result  could 
be  achieved  by  narrowing  the  exceptions  to  the  minimization  rule  outlined  in  section 
506(b)(1). 

1.  IMPLEMENTATION  SPECIFICATION:  NEED  FOR  IDENTIFIABLE  DATA 
Recommendation : 

Section  164.506(b)(2)  (the  implementation  specifications  of  the  minimization  standard)  should 
be  revised  to  include  a  requirement  that  the  covered  entity  determine  if  personal  identifiers  are 
necessary  to  accomplish  the  purpose  of  the  disclosure. 
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Rationale: 

It  is  essential  that  the  minimization  rule  requires  the  covered  entity  to  make  a  determination  as  to 
whether  the  purpose  of  the  disclosure  could  be  accomplished  with  information  that  does  not 
identify  individuals.  This  principle  is  implied  in  the  proposed  regulation,  but  is  not  made  explicit 
in  the  text 


2.  DUTY  TO  REQUEST  THE  MINIMUM  NECESSARY 
Recommendation: 

Where  the  disclosing  entity  does  not  have  the  ability  to  determine  the  minimum  amount 
necessary,  the  covered  entity  requesting  the  information  should  only  be  permitted  to  request  the 
minimum  amount  necessary  to  accomplish  the  purpose  of  the  disclosure. 

Rationale: 

There  are  a  number  of  circumstances  where  the  entity  disclosing  data  is  expected  to  assume  that 
the  amount  requested  in  the  minimum  amount  necessary.  There  is  no  requirement  in  the 
proposed  rule,  however,  for  the  entity  requesting  data  to  request  only  the  minimum  amount 
necessary.  In  such  circumstances,  therefore,  there  will  be  no  guarantee  that  the  minimum 
amoimt  of  information  will  be  shared. 

The  proposed  rule  should  address  this  issue  by  requiring  that  the  entity  requesting  data  —  if  they 
are  a  covered  entity  —  be  required  to  request  only  the  minimum  amount  necessary  to  accomplish 
the  purpose  of  the  disclosure. 

3.  DISCLOSURES  AT  THE  INDIVIDUAL'S  REQUEST 
Recommendation : 

When  a  covered  entity  discloses  protected  health  information  at  the  individual's  request,  they 
should  limit  the  disclosure  to  the  minimum  amoimt  necessary,  unless  the  individual  has  indicated 
otherwise. 

Rationale: 

The  proposed  regulation  distinguishes  between  an  authorization  made  at  the  request  of  an 
individual,  and  an  authorization  made  at  the  request  of  a  covered  entity.  If  the  individual  makes 
the  request,  the  covered  entity  is  not  bound  to  the  general  minimization  requirement.  In  practice, 
then,  a  covered  entity  could  disclose  more  information  than  the  individual  intended. 

We  believe  that  the  minimization  requirement  should  be  extended  to  circumstances  when  the 
individual  requests  a  covered  entity  to  make  a  disclosure.  If  the  individual  wants  all  protected 
health  information  released,  that  can  be  specified  in  the  authorization. 

4.  JUDICIAL  AND  ADMINISTRATIVE  PROCEEDINGS 
Recommendation: 

Where  a  request  for  protected  health  information  is  not  accompanied  by  a  court  order,  the 
covered  entity  should  only  be  permitted  to  disclose  the  amount  of  information  requested. 

Rationale: 

The  proposed  rule  specifies  that  in  the  case  of  judicial  and  administrative  proceedings,  "[wjhere 
the  request  for  disclosure  of  protected  health  information  is  accompanied  by  a  court  order,  the 
covered  entity  may  disclose  only  that  protected  health  information  which  the  court  order 
authorizes  to  be  disclosed."  Section  164.5 10(d)(3)(i).  However,  if  the  request  is  not 
accompanied  by  a  court  order  there  is  no  requirement  that  only  the  amount  requested  be 
disclosed-  We  believe  that  only  the  amount  reasonably  necessary  to  respond  to  the  request 
should  be  disclosed. 
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5.  LAW  ENFORCEMEr^ 
Recommendation: 

Sections  164.5 10(f)(3  and  5)  should  be  revised  to  ensure  that  these  disclosures  are  limited  to  the 
minimum  amount  necessary  to  accompUsb  the  purpose  of  the  disclosure. 

Rationale: 

The  proposed  rule  somewhat  limits  the  amount  and  type  of  information  available  to  law 
enforcement.  There  are  some  circumstances,  however,  where  law  enforcement  officials  would 
have  access  to  all  parts  of  the  medical  record,  without  a  meaningfiii  review  process. 

Law  enforcement  access  to  protected  health  information  for  information  about  a  victim  of  crime 
or  abuse,  and  for  health  care  fraud,  should  be  subject  to  the  minimum  amount  necessary  to 
accomplish  the  purpose  of  the  disclosure. 

6.  NEXT  OF  KIN 
Recommendation: 

Disclosures  to  next  of  kin  should  be  restricted  to  the  minimum  amount  necessary  to  accomplish 
the  purpose  of  the  disclosure,  and  restricted  to  information  relevant  to  the  current  medical 
condition. 

Rationale: 

The  proposed  rule  allows  for  disclosures  to  next-of-kin  if  the  individual  has  verbally  agreed  to 
the  (isclosure.  There  is  no  guidance,  however,  as  to  how  much,  or  what  kind  of  information  can 
be  disclosed.  Since  the  agreement  in  this  instance  will  be  a  verbal  agreement,  it  is  especially 
important  to  insure  that  only  the  minimum  amoimt  of  information  necessary  is  disclosed,  and 
only  that  information  relevant  to  the  current  medical  condition. 

In  other  words,  the  verbal  agreement  to  disclosure  to  next  of  kin  should  be  understood  to  mean 
information  about  the  present  medical  condition  at  issue,  unless  the  individual  has  given  specific 
permission  to  disclose  additional  information. 

This  approach  was  taken  in  some  of  the  comprehensive  health  privacy  bills  considered  in  the 
106*  Congress.  S.  578,  co-sponsored  by  Senators  Jeffords  (R-VT)  and  Dodd  (D-CT),  for 
example,  allows  information  to  be  shared  with  next  of  kin  if  "the  information  disclosed  related  to 
health  care  currently  being  provided  to  that  individual."  S.  578  §  204  (a)  (2). 

7.  LIMIT  SECTION  164.510  DISCLOSURES  TO  AMOUNT  REQUESTED 
Recommendation : 

When  a  covered  entity  discloses  protected  health  information  pursuant  to  section  164.510,  they 
should  be  prohibited  from  disclosing  information  in  excess  of  the  information  requested. 

Rationale: 

We  agree  that  it  will  sometimes  be  impracticable  for  covered  entities  to  determine  the  minimum 
amount  necessary  for  the  disclosures  identified  in  section  164.510.  However,  when  the  covered 
entity  discloses  information  pursuant  to  section  164.510,  they  should  only  be  permitted  to 
disclose  the  amount  of  information  requested.  In  Maine,  for  example,  the  relevant  state  law 
requires  that  "a  health  care  practitione/  or  facility  that  discloses  health  care  information... may  not 
disclose  information  in  excess  of  the  information  requested  in  the  authorization."  Me  Rev.  Stat 
tit.  22  sec.  171 1-  C  ,  subsec.  10  as  amended  by  1999  Me.  Laws  512  sec.  Ax  5.  Where 
authorization  is  not  required  (including  disclosures  pursuant  to  subpoenas),  the  entity  "may  not 
disclose  information  in  excess  of  the  infomiation  reasonably  required  for  the  purpose  for  which  it 
is  disclosed."  Id. 
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These  comments  on  "Minimum  Necessary"  have  been  endorsed  by  the  following  organizations: 

American  Association  of  People  with  Disabilities 
Association  of  Women's  Health,  Obstetric  and  Neonatal  Nurses 
Bazelon  Center  for  Mental  Health  Law 
Committee  for  Children 

Consortium  for  Citizens  with  Disabilities  Privacy  Working  Group 
Families  USA 

Federation  of  Families  for  Children's  Mental  Health 
Human  Rights  Campaign 
Justice  for  All 

Myositis  Association  of  America 
National  Association  of  People  With  AIDS 
National  Organization  for  Rare  Disorders 
National  Partnership  for  Women  and  Families 
Privacy  Rights  Clearinghouse 
Women's  Law  Project 

RIGHT  TO  REQUEST  RESTRICTIONS 

Section  164J06(c)    Standard:  right  of  an  indhidnal  to  restrict  oses  and  disciosnres, 
SUMMARY 

We  support  the  general  idea  behind  the  regulations'  granting  individuals  the  right  to  request 
restrictions  on  the  uses  and  disclosures  of  protected  health  information.  There  are  many 
circumstances  where  an  individual  has  a  legitimate  concern  that  the  disclosure  of  protected 
health  information  will  result  in  personal  harm  or  discrimination.  Imposing  a  restriction  on  the 
disclosure  of  protected  health  information  can  help  alleviate  these  potential  problems.  We 
believe,  however,  that  the  right  to  request  a  restriction  does  not  adequately  address  these 
concerns.  The  regulations  should  provide  more  protection  for  individuals. 

We  suggest  that  the  regulations  be  amended  in  the  following  ways: 

1 .  Allow  individuals  to  have  a  true  right  to  restrict  (not  just  the  right  to  request  restrictions 
on)  the  use  and  disclosure  of  their  protected  health  information  where  the  disclosure  of 
that  information  could  jeopardize  the  safety  of  the  individual. 

2.  Allow  individuals  who  pay  for  their  own  medical  care  (self  pay)  to  have  a  true  right  to 
restrict  the  disclosure  of  their  protected  health  information. 

3.  Extend  the  application  of  this  section  to  all  covered  entities. 

4.  Require  all  covered  entities  that  receive  health  care  information  that  is  subject  to  a 
restriction  agreement  to  comply  with  the  restriction. 

1.       A  TRUE  RIGHT  TO  RESTRICT 
Recommendation: 

The  regulations  should  include  a  new  provision  specifying  that  individuals  have  a  right  to  restrict 
the  use  and  disclosure  of  their  protected  health  information  (not  subject  to  the  approval  of  a 
covered  entity)  where  the  disclosure  of  such  information  could  jeopardize  the  safety  of  the 
individual. 

Rationale: 

Victims  of  domestic  abuse  need  to  be  able  to  place  restrictions  on  the  use  and  disclosure  of  their 
protected  health  information  even  for  treatment,  payment  and  health  care  operations  purposes. 
Victims  of  abuse  need  to  know  fliat  their  health  information  and  their  whereabouts  will  be  fully 
protected  in  order  to  access  health  care  safely.  It  is  essential  that  a  victim  who  has  fled  an  abuser 
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not  be  found  because  a  provider  or  insurer  gives  the  batterer  the  victim's  new  address,  either 
directly  or  through  the  maihng  of  an  explanation  of  benefits  form.  A  victim's  right  to  restrict  the 
disclosure  of  protected  health  information  should  not  be  dependent  on  the  agreement  of  a  health 
care  provider,  who  may  underestimate  the  severity  of  the  danger.  Failing  to  give  victims  of 
abuse  a  true  ri^t  to  limit  disclosures  of  information,  where  the  disclosure  would  endanger  dieir 
safety,  will  undermine  the  efforts  of  the  health  care  community  to  serve  victims  of  abuse  and 
deprive  them  of  necessary  care  and  assistance. 

HIPAA  recognizes  the  special  needs  of  victims  of  domestic  violence  by  specifically  including 
conditions  resulting  fi-om  abuse  as  a  prohibited  underwriting  consideration.  The  draft  regulations 
also  recognize  the  need  of  victims  of  abuse  for  special  protection  against  the  disclosure  of  their 
whereabouts  by  providing  protection  against  such  disclosures  in  section  164.5 10(h)  relating  to 
directory  information  and  the  discussion  at  page  59965.  However,  as  discussed  above,  the 
confidentiality  needs  of  victims  of  abuse  extend  beyond  the  need  to  limit  directory  infonnation. 

Granting  individuals  the  true  right  to  restrict  the  disclosure  of  their  protected  health  information 
to  protect  their  safety  is  not  a  novel  concept.  The  1998  Health  Information  Privacy  Model  Act 
adopted  by  the  National  Association  of  Insurance  Commissioners  (NAIC)  takes  this  approach. 
See  Health  Information  Privacy  Model  Act,  sec.  14.  A.  The  NAIC,  the  association  of  state 
insurance  regulators,  adopts  model  laws  only  after  obtaining  extensive  input  fi'om  all  interested 
parties.  In  the  case  of  this  privacy  model,  the  NAIC  deliberated  over  several  years,  holding 
numerous  meetings  at  which  insurers  and  consumers  provided  extensive  comment  and  engaged 
in  lengthy  negotiation.  This  model  and  the  particular  provision  which  we  ask  the  Secretary  to 
include  in  the  regulations  can  therefore  be  considered  to  be  the  result  of  a  consensus,  to  which 
numerous  participating  health  plans  and  members  of  the  insurance  industry  agreed.  We  suggest 
that  the  Secretary  adopt  the  approach  taken  by  NAIC's  Model  Act. 

Specifically,  we  recommend  that  the  Secretary  add  the  following  subsection  to 
section  164.506: 

Standard:  Right  of  an  individual  to  restrict  the  use  and  disclosure  of 
protected  health  information  where  disclosure  could  jeopardize  the 
safety  of  the  individual. 

(a)  An  individual  has  the  right  to  restrict  the  disclosure  of  his  or 
her  protected  health  information  bv  communicating  in  writing  to  a 
covered  entity  that  the  safety  of  the  individual  could  be  jeopardized 
by: 

(1)  disclosures  to  specified  individuals  :  or 

(2)  contacting  the  individual  in  specified  manners. 

(h)  A  covered  entity  may  not  disclose  protected  health  information 
irxonsistent  with  the  restriction  under  paragraph  (a)  of  this  section.  Such 
restrictions  may  include,  but  are  not  limited  to.  prohibiting  the  release  of  any 
information  to  a  spouse  to  prevent  domestic  violence,  and  restrictions  on  the 
mailing  of  appointment  notices  to  the  individual's  home,  calling  the  home  to 
confirm  appointments,  and  mailing  an  explanation  of  benefits  to  the  individual 
or  to  the  policyholder.  If  the  individual  places  restrictions  on  the  maimer  in 
which  the  covered  entity  may  communicate  with  the  individual,  the  covered 
entity  may  ask  the  individual  to  provide  a  phone  number  or  an  address  for 
such  communications  and  may  require  the  individual  to  indicate  how  payment 
will  be  arranged  if  payment  is  due. 

2.       SELF-PAYING  INDIVIDUALS 
Recommendation: 

We  believe  that  the  right  to  request  restriction  agreements  should  continue  to  be  available  to  all 
individuals.  In  addition,  the  regulations  should  include  a  new  provision  specifying  that  an 
individual  who  pays  a  health  care  provider  directly  for  health  care  sendees  has  the  right  to 
restrict  the  use  and  disclosure  of  health  care  infomiation  related  to  such  services,  and  that  such 
right  is  not  subject  to  the  approval  of  the  health  care  provider. 
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Rationale: 

The  Secretary  has  indicated  that  she  considered  limiting  the  right  to  request  restrictions  on 
disclosures  to  patients  who  pay  for  their  own  health  care.  64  Fed.  Reg.  59946.  At  a  bare 
minimum,  we  beheve  that  all  individuals,  not  just  those  who  self-pay,  should  have  a  right  to 
request  restrictions. 

Additionally,  we  believe  that  individuals  who  self-pay  should  have  the  true  right  to  restrict  the 
use  and  disclosure  of  their  protected  health  information.  Some  individuals  have  opted  to  pay  for 
treatment  for  certain  medical  conditions  themselves  rather  than  take  the  risk  that  their  insurance 
company  or  their  employer  will  learn  of  these  conditions  and  take  adverse  actions  against  them. 
This  approach,  while  not  ideal,  allows  people  to  get  the  treatment  they  need  while  controlling  the 
possibility  of  discrimination  based  on  health  condition.  We  believe  that  individuals  who  self-pay 
for  their  health  care  should  have  the  ability  to  control  the  use  and  disclosure  of  the  related  health 
information.  This  is  particularly  true  in  a  regulatory  system  such  as  the  one  proposed  that  would 
allow  an  individual's  health  information  to  be  freely  used  for  the  treatment  and  payment  of 
others. 

We  propose  that  the  regulations  include  a  new  provision  that  allows  patients  who  self-pay  for 
their  health  care  to  restrict  the  use  and  disclosure  of  the  related  health  care  information.  The 
decision  to  restrict  should  be  made  solely  by  the  individual  and  should  not  be  subject  to  the 
agreement  of  the  health  care  provider.  The  ability  to  restrict  disclosures  for  payment  is  a  naniral 
consequence  of  self-paying.  We  believe  an  individual  should  also  be  able  to  restrict  the  use  and 
disclosure  of  protected  health  information  for  treatment  purposes  given  the  Secretary's  intention 
that  information  generally  may  be  used  for  treatment  of  all  individuals  without  the  subject's 
consent. 

Hawaii,  which  recently  enacted  a  comprehensive  privacy  of  health  care  information  law,  adopted 
this  approach  and  allows  individuals  who  self-pay  to  restrict  the  disclosin-e  of  their  health  care 
informatioiL  See  Hav/.  Rev.  StaL  §  323C-21(c).  We  suggest  that  the  Secretary  adopt  the 
approach  taken  by  Hawaii's  health  privacy  law  and  add  the  following  subsection  to  section 
164.506: 

Standard:  Ri^ht  of  an  individual  to  restrict  uses  and 
disclosures  of  protected  health  information  related  to  health  care 
services  paid  for  directly  by  the  individ^uil. 

If  an  individual  does  not  want  protected  health  information 
used  or  disclosed  tor  the  purposes  of  treatment,  payment  or  health 
care  operations,  the  individual  shall  advise  the  health  care  provider 
prior  to  the  delivery  of  services  that  the  relevant  protected  health 
information  shall  not  be  disclosed  for  these  purposes  pursuant  to 
section  I64.506(a)(l)fi).  and  the  individual  shall  pay  the  health 
care  provider  directly  for  health  care  services.  Protected  health 
information  related  to  health  care  services  so  identified  and  paid 
for  directly  by  the  individual  shall  not  be  disclosed  for  purposes  of 
treatment  payment,  or  health  care  operation  purposes  without  the 
individual's  authorization. 


3.       APPLICATION  TO  ALL  COVERED  ENTITIES 
Recommendation: 

We  urge  the  Secretary  to  expand  the  application  of  this  section  to  all  covered  entities. 
Rationale: 

As  discussed  above,  we  believe  that  individuals  should  have  a  true  right  to  restrict  the  disclosure 
and  use  of  their  protected  health  information  in  certain  circumstances.  Whether  the  Secretary 
adopts  our  suggested  ^proach  or  maintains  the  current  regulatory  framework  of  only  allowing 
individuals  to  request  restrictions  on  disclosiu^es,  we  beheve,  at  a  minimum,  that  the  restriction 
requirements  should  apply  not  only  to  health  providers,  as  currently  specified  in  section 
164.506(c)(lXi),  but  also  to  health  plans. 
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The  disclosure  of  protected  health  information  may  pose  a  harm  to  the  individual,  regardless  of 
the  source  of  that  disclosure.  There  are  circumstances  in  which  it  is  appropriate  to  request  not 
only  a  health  provider  but  also  a  health  plan  to  restrict  disclosures  of  protected  health 
information.  Iq  light  of  NAIC's  1998  Health  Inforaiation  Privacy  Model  Act  it  appears  the  health 
insurance  industry  and  the  NAIC  have  akeady  reached  a  consensus  that  health  plans  may  be 
required  to  restrict  the  disclosure  of  health  information. 


4.       THE  RESTRICTION  SHOULD  FOLLOW  THE  PROTECTED  HEALTH 
INFORMATION 

Reconunendation : 

Require  all  covered  entities  that  receive  health  care  information  that  is  subject  to  a  restriction  to 
comply  with  the  restriction. 

Rationale: 

Under  the  proposed  regulations,  it  appears  that  only  the  original  health  care  provider  is  required 
to  comply  with  the  restriction  agreement  See  164.506(c).  Although  the  covered  entity  entering 
into  such  an  agreement  is  required  to  notify  those  to  whom  such  information  is  disclosed  of  such 
restriction  there  is  no  reqxiirement  that  a  covered  entity  receiving  the  information  comply  with 
the  restriction.  §  164.506(c)(2)(iv).  A  restriction  that  does  not  follow  the  information  would  be  of 

limited  value.  The  Secretary  clearly  has  the  authority  to  impose  a  duty  to  comply  with  the 
restriction  on  a  covered  entity  receiving  such  information.  We  recommend  that  such  a  provision 
be  added  to  the  regulations. 


These  comments  on  "Right  to  Request  Restrictions"  have  been  endorsed  by  the  following 
organizations: 

American  Association  of  People  with  Disabilities 
Association  of  Women's  Health,  Obstetric  and  Neonatal  Nurses 
Bazelon  Center  for  Mental  Health  Law 
Committee  for  Children 

Consortium  for  Citizens  with  Disabilities  Privacy  Working  Group 
Families  USA 

Federation  of  Families  for  Children's  Mental  Health 
Human  Rights  Campaign 
Justice  for  All 

Myositis  Association  of  America 
National  Association  of  People  With  AIDS 
National  Organization  for  Rare  Disorders 
National  Partnership  for  Women  and  Families 
Privacy  Rights  Clearinghouse 
Women's  Law  Project 

BUSINESS  PARTNERS 

Section  164.S06(e)    Standards:  business  partners. 

SUMMARY 

We  strongly  support  the  section  in  the  proposed  regulation  that  states  that  business  partners  are 
considered  to  be  acting  on  behalf  of  the  covered  entity.  Most  importantly,  we  vigorously  urge  the 
Secretary  to  continue  in  the  final  regulation  the  mandate  that,  under  the  "satisfactory  assurance" 
requirement,  covered  entities  must  enter  into  contracts  with  business  parmers  that  designate 
individuals  whose  protected  health  information  is  disclosed  as  "intended  third  party  beneficiaries 
of  the  contract."  This  language,  we  believe,  provides  the  legal  basis  for  individuals  to  bring  an 
action  in  state  court  for  breach  of  contract  in  the  event  the  regulation  is  violated  by  a  covered 
entity  or  business  parmer. 
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Recommendation : 

We  strongly  commend  the  requiremeni  that  covCTcd  aitities  have  wnneri  contracts  with  their 
business  partners  limiting  the  partners'  use  and  disclosure  of  protected  health  information. 

Rationale: 

Ideally,  a  health  privacy  law  or  regulation  would  impose  restrictiorLS  directly  on  all  of  those  who 
receive  protected  health  informatiorL  including  the  agents  and  contractors  of  health  care 
providers  and  health  plans.  Unlike  health  care  providers,  these  dcv»nstream  users  and  processors 
often  do  not  have  an  ethical  obligation  to  mamtain  patient  confidentiahry'.  We  recognize, 
however,  that  the  proposed  regulations  were  unable  to  directly  cover  these  organizations  due  to 
the  Secretary's  limited  authority  under  HIP>AA.  Regulating  the  agents  and  contractors  of  covered 
entities  indirectly,  through  the  covered  endties,  makes  sense  m  diese  circumstances.  This  is 
particxilariy  true  since  most  covered  entides  already  enter  mto  contracts  ^-iih  their  business 
partners.  We  anticipate  that  some  covered  entities  will  protest  that  they  should  not  be  held 
responsible  for  the  actions  of  others.  We  note  ai  the  outset  that  the  proposed  regulatory  scheme  is 
not  a  departure  from  traditional  agency  principles  under  which  a  contractor  may  be  held 
responsible  for  its  agents'  actions.  Furthermore,  the  proposed  regulations  adequately  and  fairly 
address  the  fairness  issue  by  limiting  a  covered  entity's  habiiity  to  circumstances  where  the 
covered  entity  knew  or  reasonably  should  have  known  of  a  material  breach  of  the  contract  of  the 
business  partner  and  failed  to  act  Concerns  of  being  unduly  penalized  also  should  be  alleviated 
by  the  fact  that  the  Secretary  has  expressed  a  general  philosophy  of  a  cooperative  approach  to 
obtaining  compliance  with  the  regulations. 

Recommendation: 

We  vigorously  urge  the  Secretary  to  continue  in  the  final  regulation  the  mandate  that,  under  the 
"satisfactory  assurance"  requirement,  covered  entities  must  enter  into  contracts  with  business 
partners  that  designate  individtials  whose  protected  health  information  is  disclosed  as  "intended 
third  party  beneficiaries  of  the  contract." 

RatioaaJe: 

This  language,  we  believe,  provides  the  legal  basis  for  individuals  to  bring  an  action  in  stale 
court  for  breach  of  contract  in  the  event  the  regulation  is  violated  by  a  covered  entity  or  busmess 
partner.  This  may  effectively  provide  an  avenue  for  individuals  to  enforce  die  provisjons  of  the 
privacy  standards. 


These  commoxts  on  **Business  Partners"  have  been  endoised  by  the  following  organizations: 

American  Association  of  People  with  Disabilities 
Assodation  of  Women's  Health,  Obstetric  and  Neonatal  Nurses 
Bazelon  Center  for  .Mental  Health  Law 
Committee  for  Children 

Consortium  for  Citizens  with  Disabilities  Privacy  Working  Group 
Families  USA 

Federation  of  Families  for  Children's  Mental  Health 
Human  Rights  Campaign 
Justice  for  .All 

Myositis  Association  of  America 
National  Association  of  People  With  .AIDS 
National  Organization  for  Rare  Disorders 
National  Partnership  for  Women  and  Famihes 
Privacy  Rights  Gearinghouse 
Women's  Law  Project 


134 


DECEASED  PERSONS 

Section  164.506(f)     Standard:  deceased  individuals. 
SUMMARY 

We  disagree  with  the  proposed  rule  requiring  that  an  individual's  protected  health  information  be 
subject  to  the  requirements  of  the  regulation  for  only  two  years  after  death  except  if  the 
information  is  used  or  disclosed  for  research  purposes.  Because  we  agree  with  the  Secretary  that 
extending  protection  after  death  would  preserve  an  individual's  dignity  and  encourage 
individuals  to  be  open  and  honest  in  seeking  treatment,  we  believe  that  this  policy  should  not  be 
abandoned  after  two  years.  We  also  disagree  with  the  Secretary's  decision  to  exclude  from  the 
rule  information  used  or  disclosed  for  research  purposes.  The  regulation  should  apply  to  all  uses 
and  disclosures  after  death,  including  research,  as  long  as  the  covered  entity  maintains  the 
information.  Additionally,  family  members  with  legitimate  health-related  reasons  should  be  able 
to  exercise  the  deceased  individual's  right  of  access  where  there  is  no  other  individual  authorized 
by  the  regulations  to  exercise  such  access.  We  have  incorporated  all  of  our  suggestions  in  a 
proposed  revised  section  164.506(f)  at  the  end  of  our  comments  to  this  section. 

1.        PERIOD  OF  TIME  THAT  PROTECTIONS  REMAIN  IN  FORCE 

Recommendation : 

A  deceased  individual's  protected  health  information  should  be  subject  to  the  requirements  of  the 
regulation  as  long  as  the  covered  entity  maintains  the  information. 

Rationale: 

The  Secretary's  rationale  for  the  two-year  limitation  is  based  on  a  balancing  test  The  Secretary 
concludes  that  the  administrative  burden  of  identifying  individuals  who  may  access  a  deceased 
person's  information  outweighs,  after  two  years,  the  dignity  of  the  deceased  and  the  interest  of 
encouraging  individuals  "seeking  treatment  to  be  frank."  In  arriving  at  the  two-year  limitation, 
the  Secretary  states: 

If  information  is  needed  for  legitimate  purposes,  the  consent  of  a  living  person  legally 
authorized  to  grant  such  consent  must  be  obtained,  and  the  ftirther  from  the  date  of  death, 
the  more  difficult  it  may  be  to  identify  the  person.  The  administrative  burden  of 
perpetual  protection  may  eventually  outweigh  the  privacy  interests  served,  (p.  59950) 

Other  than  administrative  burdens,  the  Secretary  does  not  state  any  reason  why  the  two-year 
limit  was  chosen  or  any  reason  why  protections  should  not  be  perpetual.  Other  than  those 
authorized  to  access  a  deceased  person's  records  for  legitimate  purposes  (executor,  administrator 
or  family  member— as  die  case  may  be),  it  is  unclear  who  would  want  to  obtain  protected  health 
information  of  the  deceased  other  than  conunercial  collectors  or  marketers  who  have  no 
legitimate  interest  in  the  information. 

The  Secretary  does  not  discuss  genetic  or  hereditary  information  in  her  initial  balancing  test  (as 
discussed  above),  but  later  explains  growing  concerns  that  "genetic  information  about  one  family 
member  may  reveal  health  information  about  other  members  of  that  family"  which  may 
compromise  "the  health  data  confidentiality  of  living  relatives."  (p.  59951)  In  discussing  why  it 
did  not  propose  a  special  use  and  disclosure  mle  for  genetic  and  hereditary  information,  the 
Secretary  states: 

We  considered  extending  the  two-year  period  for  genetic  and  hereditary 
information,  but  were  unable  to  construct  criteria  for  protecting  the  possible 
privacy  interests  of  living  children  without  creating  extensive  burden  for 
information  holders  and  hampering  health  research,  (p.  59951) 

This  approach  is  problematic.  On  the  one  hand,  the  Secretary  acknowledges  the  growing 
concerns  of  linking  genetic  and  hereditary  information  of  the  deceased  to  living  relatives,  but 
later  states  problems  with  a  special  mle  as  the  reason  not  to  address  the  concerns  of  living 
relatives.  While  we  understand  the  difficulties  in  constmcting  criteria  for  a  special  rule  for 
genetic  and  hereditary  information,  clearly  the  interests  of  living  relatives  and  family  members 
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could  be  protected  by  extending  the  two-year  limitation.  It  is  unclear  why  the  Secretary  did  not 
do  this.  The  concerns  of  living  relatives  do  not  stop  after  two  years  but  continue  forever  because 
genetic  and  hereditary  information  can  always  be  linked  to  living  relatives.  As  long  as  the 
covered  entity  maintains  the  information,  it  should  be  protected. 

We  are  also  concerned  that  the  regulations  may  be  interpreted  as  providing  a  right  of  access  to  a 
deceased's  records  only  for  a  2-year  period  after  death.  Section  164.506(f)  provides  that  a 
covered  entity  must  "comply  with  the  requirements  of  this  subpan  with  respect  to  the  protected 
health  information  of  a  deceased  individual  for  two  years  following  the  death  of  such 
individual."  Because  section  164.506  is  contained  in  subpart  E,  the  term  "this  subpart"  refers  to 
subpart  E,  which  includes  the  provisions  on  access.  The  provisions  on  access,  contained  in 
section  164.514(a),  provide  that  an  individual's  right  of  access  to  his  own  health  information 
exists  as  long  as  the  entity  maintains  the  protected  health  information.  Thus,  section  164.514(a) 
appears  to  be  inconsistent  with  section  164.506(f).  It  is  at  least  arguable  that  the  two-year  limit 
provided  in  section  164.506(f),  which  specifically  applies  to  the  health  information  of  deceased 
persons,  limits  an  entity's  duty  to  comply  with  a  request  for  the  health  information  of  a  deceased 
person  to  a  two-year  period  after  death.  However,  access  to  a  deceased  person's  health 
information  may  be  vital  to  establishing  the  cause  of  death,  maintaining  a  cause  of  action,  or 
assisting  in  the  health  care  of  surviving  family  members.  The  regulations  should  clarify  that  the 
right  of  access  of  an  individual,  including  the  representatives  of  a  deceased  individual,  exists  for 
the  entire  period  the  information  is  held  by  a  covered  entity. 

At  least  one  state  has  determined  that  the  interest  in  protecting  the  privacy  of  a  deceased's  health 
information  outweighs  the  administrative  burden  in  protecting  that  information.  The  privacy  and 
access  provisions  of  Hawaii's  recently  enacted  health  care  information  privacy  law  "continue  to 
apply  to  protected  health  information  concerning  a  deceased  individual  following  the  death  of 
that  individual."  See  Haw.  Rev.  StaL  §  323C-43. 

We  strongly  encourage  the  Secretary  to  adopt  a  similar  rule. 
2.        RESEARCH  PURPOSES 

Recommendatioa : 

The  privacy  standards  should  apply  to  all  uses  and  disclosures  after  death,  including  research. 
The  proposed  regulations  should  be  revised  to  extend  privacy  protections  to  research  on 
deceased  subjects. 

Rationale: 

The  Secretary  proposes  that  the  two-year  limitation  not  apply  to  uses  or  disclostires  for  research 
purposes.  The  Secretary's  rationale  is  that  deceased  persons  are  not  considered  "human 
subjects"  under  the  Common  Rule  and  have  never  been  covered  in  research  protocol 
assessments.  While  we  understand  the  Secretary's  desire  to  maintain  the  status  quo,  we  believe 
the  same  concerns  regarding  use  and  disclosure  of  genetic  and  hereditary  information,  as 
discuissed  above,  apply  in  the  research  context.  In  many  cases,  we  believe  that  the  risk  of 
identification  is  greater  in  the  research  context  because  researchers  may  attempt  to  identify 
genetic  and  hereditary  conditions  of  the  deceased.  While  information  of  the  deceased  does  not 
necessarily  identify  living  relatives  by  name,  clearly  living  relatives  could  be  identified  and 
suffer  the  same  harm  as  if  their  own  medical  records  were  used  or  disclosed  for  research 
purposes. 

While  we  do  not  propose  here  to  change  the  Common  Rule,  we  believe  that  research  involving 
information  of  the  deceased  deserves  the  same  protection  as  that  of  living  persons.  We  strongly 
encourage  the  Secretary  to  adopt  a  rule  to  cover  all  uses  and  disclosures  of  information  after 
death,  including  research. 


3.        ACCESS  BY  FAMILY  MEMBERS 
RecommendatioD: 

Section  164.506(f)  should  be  clarified  to  allow  access  to  a  family  member  who  has  demonstrated 
a  legitimate  health-related  reason  for  seeking  the  information  when  there  is  no  executor. 
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administrator,  or  other  person  authorized  under  applicable  law  to  exercise  the  right  of  access  of 
the  individual. 

Rationale: 

Family  members  may  have  legitimate  health-related  reasons  for  seeking  a  relative's  protected 
health  information  when  there  is  no  one  under  the  regulation  who  is  authorized  to  exercise  the 
individual's  right  of  access.  This  is  particularly  true  given  the  evolutionary  role  of  genetics  in 
health  care. 
4.        PROPOSED  REVISION 

We  reconunend  the  following  changes  to  section  164.506(f): 

(f)  Standard:  Deceased  Individuals.  A  covered  entity  must  comply  with  the 
requirements  of  this  subpart  with  respect  to  the  protected  health  information  of  a 
deceased  individual  for  two  years  following  the  death  of  fluoh  individual.  Thio 
requirement  doec  not  apply  to  usee  or  disclocureo  for  recearoh  puipoeee.  A 
covered  entity  may  release  the  protected  health  information  of  a  deceased 
individual  to  a  family  member  who  has  demonstrated  a  legitimate  health-related 
reason  for  seeking  the  infomiation  when  there  is  no  executor,  administrator,  or 
other  person  authorized  under  applicable  law  to  exercise  the  right  of  access  of  a 
deceased  individual. 


These  comments  on  "Deceased  Persons"  have  been  endorsed  by  the  following  organizations: 

American  Association  of  People  with  Disabilities 
Association  of  Women's  Health,  Obstetric  and  Neonatal  Nurses 
Bazelon  Center  for  Mental  Health  Law 
Committee  for  Children 

Consortiimi  for  Citizens  with  DisabiUties  Privacy  Woridng  Group 
Families  USA 

Federation  of  Famihes  for  Children's  Mental  Health 
Hiunan  Rights  Campaign 
Justice  for  All 

Myositis  Association  of  America 
National  Association  of  People  With  AIDS 
National  Organization  for  Rare  Ehsorders 
National  Partnership  for  Women  and  Families 
Privacy  Rights  Clearinghouse 
Women's  Law  Project 

ADHERENCE  TO  NOTICE 

Section  164^06(g)    Standard:  uses  and  disclosures  consistent  with  notice. 
Recommendation : 

We  support  the  regulations'  requirement  that  covered  plans  and  providers  adhere  to  the 
statements  reflected  in  the  notice  of  information  practices. 

Rationale: 

From  a  health  consumer's  perspective,  such  a  notice  is  meaningless  if  a  covered  entity  does  not 
actually  follow  the  practices  outlined  in  its  notice.  States  that  have  comprehensive  health  privacy 
laws  impose  a  similar  requirement  on  covered  entities.  See,  eg..  Haw.  Rev.  Stat  §  323C-21(b) 
(allowing  an  entity  to  use  or  disclose  protected  health  information  within  the  entity  only  if  the 
use  or  disclosure  is  properly  noticed). 
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These  comments  on  "Adherence  to  Notice"  have  been  endorsed  by  the  following  organizations: 

American  Association  of  People  with  Disabilities 
Association  of  Women's  Health,  Obstetric  and  Neonatal  Nurses 
Bazelon  Center  for  Mental  Health  Law 
Committee  for  Children 

Consortium  for  Citizens  with  Disabilities  Privacy  Working  Gio\xp  >  » 

Families  USA 

Federation  of  FamiUes  for  Children's  Mental  Health 
Human  Rights  Campaign 
Justice  for  All 

Myositis  Association  of  America 
National  Association  of  People  With  AIDS 
National  Organization  for  Rare  Disorders 
National  Partnership  for  Women  and  Families 
Privacy  Rights  Clearinghouse 
Women's  Law  Project 

COMPONENT  ENTITIES 

Section  164306       Uses  and  disclosures  of  protected  health  information:  general  rules. 

SUMMARY  '  ^-..^..^....w.  . 

We  strongly  agree  with  the  approach  that  only  the  health  care  component  of  an  organization  that 
is  primarily  engaged  in  other  unrelated  activities  should  be  considered  to  be  the  covered  entity. 
The  regulations  should  be  revised  to  expressly  reflect  this  approach.  In  addition,  the  Secretary 
needs  to  clarify  the  responsibihties  of  employers  that  sponsor  health  plans  for  their  employees 
and  dependents. 

1.       IN  GENERAL 

Recommendation: 

The  regulations  should  expressly  provide  that  with  respect  to  persons  or  organizations  that 
provide  health  care  or  have  created  health  plans  but  are  orimarily  engaged  in  other  unrelated 
activities,  the  term  "covered  entity"  encompasses  only  the  health  care  component  of  that  entity. 
Furthermore,  section  164.506  should  include  a  subsection  explaining  how  the  general  rule 
applies  to  covered  entities  that  are  components  of  organizations  that  are  not  covered  entities. 

Rationale: 

Designating  the  discreet  health  care  component  of  a  mixed  entity  as  the  "covered  entity"  is 
necessary  to  prevent  the  movement  of  protected  health  inforaiation  into  another  component  of 
the  organization  where  it  might  be  used  or  disclosed  improperly.  From  the  explanation 
accompanying  the  proposed  regulations,  it  is  clear  that  the  Secretary  intended  this  result.  In  order 
to  fully  implement  this  approach,  however,  this  designation  should  be  expressly  incorporated 
into  the  regulations.  As  they  are  written,  the  proposed  regulations  do  not  expressly  state  that  with 
respect  to  a  mixed  entity  of  which  only  a  portion  is  primarily  engaged  in  health  care  activities, 
the  term  "covered  entity"  encompasses  only  the  health  care  component  of  that  entity.  To  avoid 
any  potential  future  claims  of  ambiguity,  the  definition  of  covered  entity  should  facially  reflect 
the  regulatory  intent  that  it  includes  only  the  health  care  component  of  these  mixed  entities. 

Section  1 64.506,  which  contains  the  general  mles  for  uses  and  disclosures  of  protected  health 
information,  currently  lacks  a  subsection  dealing  with  how  the  rules  operate  for  component 
entities.  The  regulation  itself  should  contain  rules  for  these  circumstances. 
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2.  EMPLOYERS 
Recom  mendations : 

The  Secretary  needs  to  clarify  the  responsibilities  of  employers  that  sponsor  health  plans  for  their 
employees  and  dependents  in  two  important  ways: 

1 .  by  making  clear  that  while  employers  in  their  entirety  are  not  covered  entities,  the 
component  of  the  employer  that  sponsors  a  covered  ERISA  plan  (the  "health  care 
component")  is  a  covered  entity;  and 

2.  by  ffiaking  clear  that  there  must  be  fire  walls  set  up  between  the  health  care  component 
of  an  employer  and  the  rest  of  the  org^zation. 

Rationale: 

Most  people  who  have  private  insurance  get  that  insurance  through  employment  Because  of  the 
link  between  employment  and  health  coverage  in  American  society,  the  American  public  is 
extremely  concerned  that  employers  know  more  than  they  should  about  employees'  private 
medical  information  and  that  some  employers  will  use  that  information  inappropriately  to  make 
employment  decisions  (such  as  promotions,  job  assignments,  and  even  firing).  Yet  the  proposed 
rule  does  very  little  to  explain  how  people  will  be  protected  fix)m  these  invasions  of  their 
privacy.  If  the  Secretary  fails  to  address  these  issues  head  on,  the  American  public  will  remain 
skeptical  about  whether  the  privacy  of  their  medical  information  is  truly  protected. 

A.  Employment  based  health  plans  covered  by  HIPAA  and  this  proposed  rule 

Most  employment  based  plans  are  ERISA  plans  -  health  plans  that  are  sponsored  by  employers 
or  unions  pursuant  to  the  Employee  Retirement  Income  Security  Act.  HIPAA  and  the  proposed 
rule  include  most  ERISA  plans  within  the  definition  of  "health  plan."  Specifically,  HEPAA's 
administrative  simplification  provisions  (the  provisions  that  provide  the  statutory  authority  for 
this  proposed  rule)  define  the  term  "health  plan"  as  follows: 

(5)  Health  Plan.  -  The  term  'health  plan'  means  an  individual  or  group  plan  that 
provides,  or  pays  the  cost  of,  medical  care  ....  Such  term  includes  the  following, 
and  any  combination  thereof: 

(A)  A  group  health  plan  (as  defined  in  section  2791(a)  of  the 
Public  Health  Service  Act)' ,  but  only  if  the  plan  ~ 

(i)  has  50  or  more  participants  (as  defined  in 
section  3(7)  of  the  Employee  Retirement  Income 
Security  Act  of  1974);  or 

(ii)  is  administered  by  an  entity  other  than  the 
employer  who  established  and  maintains  the  plaiL 

(B)  A  health  insurance  issuer  (as  defined  in  section  2791(b)  of  the 
Public  Health  Service  Act). 

(C)  A  health  maintenance  organization  (as  defined  in  section 
289 1  (b)  of  the  Pubhc  Health  Service  Act). 


'  Section  2791(a)  of  the  Public  Health  Service  Act  defines  a  "group  health  plan"  as  an  employee 
welfare  benefit  plan  under  ERISA. 
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(H)  .Aji  employee  welfare  benefit  plan  or  any  other  arrangement 
which  is  established  or  maintained  for  the  purpose  of  offering  or 
providing  health  benefits  to  the  employees  of  2  or  more  employers. 

The  first  subsection  -  (AXi)  -  brings  under  this  proposed  rale  all  ERISA  plans  that  include  50 
or  more  participants.  See  Section  262  of  HIPAA,  the  pertinent  portion  of  which  is  now  codified 
in  section  1711  of  the  Social  Security  Act.  Subsection  (AXii)  brings  under  the  proposed  rule  all 
ERIS.A  plans  (regardless  of  the  number  of  participants)  that  are  administered  by  an  entity  other 
than  the  employer.  Subsection  (H)  brings  under  this  proposed  rule  all  ERISA  plans  established 
for  the  benefit  of  two  or  more  employers  —  known  as  "MEW.As."  All  of  these  types  of  ERISA 
plans  are  thus  covered  entities  subject  to  the  provisions  of  this  proposed  rule. 

The  reach  of  subsection  (AXii)  is  especially  broad.  Most  employees  (and  their  dependents)  are 
in  ERISA  plans  that  are  administered  by  an  entity  other  than  the  employer.  This  would  be  the 
case  where  the  employer  enters  into  a  contract  with  an  HMO  or  insiirance  company  to  bear  the 
risk,  administer  the  plan,  and  pay  the  claims.  This  would  also  be  the  case  where  the  employer 
bears  the  risk  but  contracts  with  an  insurance  company  (a  "third-party  administrator")  to  manage 
the  plan.  But  even  when  an  outside  entity  administers  the  plan  (whether  that  outside  entity  bears 
risk  or  not),  the  ERISA  plan  itself  -  the  arrangement  that  the  employer  sets  up  and  that  remains 
under  the  employer's  "rooF  -  is  a  covered  entity  under  HIPAA  and  this  proposed  rule. 

The  HMOs  and  insurance  companies  with  which  the  employer  contracts  also  are  covered 
entities,  but  they  are  different  oitities,  separate  from,  the  ERISA  plan  itself,  and  they  are  covered 
by  virtue  of  a  separate  component  of  the  definition  of  "health  plan,"  specifically  subsections  (B) 
jr  d  (Q  quoted  above. 

This  means  that  even  though  employers  in  their  entirety  are  not  covered  entities  under  the 
proposed  rtile,  the  component  of  every  employer  that  manages  the  coverai  ERISA  plan  is  a 
covered  entity  -  along  with  the  outside  HMO  or  insurance  company  (if  any)  with  which  the 
employer  contracts.  And  that  means  that  such  a  component  of  every  employer  with  a  covered 
ERISA  plan  must  comply  with  the  provisions  of  this  rule. 

The  health  care  component  of  an  employer  may  consist  of  the  employer's  office  manager  if  that 
is  the  person  charged  with  managing  the  day-to-day  operation  of  the  health  plan  or  may  consist 
of  an  entire  department  charged  with  managing  personnel  and  benefits  including  the  health  plan. 

B.  The  prop<»sed  rale's  treatment  of  employmeDt  based  plans 

Unfortunately,  even  a  careful  reading  of  the  proposed  rule  and  its  lengthy  preamble  shows  that 
the  essential  role  of  employers  has  been  either  misimderstood  or  overlooked.  There  are  a  few 
isolated  statements  about  employers  in  the  preamble,  but  never  an  effort  to  address  the  topic 


^  This  statutory  provision  is  in  section  262  of  HIPAA,  which  created  several  new  sections  in  the 
Social  Security  Act  (the  quoted  statutory  provision  is  now  in  section  1 1 71  of  the  Social  Security 
Act). 
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completely.  And  what  is  there  shows  a  misiinderstanding  of  the  nature  of  ERISA  plans.  In  one 
critical  passage  (page  5995 1 ),  the  Department  recognizes  that  employers  that  offer  health 
benefits  have  a  "health  care  component,"  but  refers  only  to  "self-insured"  ERISA  plans  when,  in 
fiu:t,  all  employers  with  ERISA  plans  have  a  "health  care  component."  This  passage  states: 

In  this  section  we  describe  how  the  provisions  of  this  proposed  rule  apply  to 
persons  or  organizations  that  provide  health  care  or  have  created  health  plans  but 
are  primarily  engaged  in  other  unrelated  activities.  Examples  of  such 
organizations  include  schools  that  operate  on-site  clinics,  employers  who  operate 
self-funded  health  plans,  and  information  processing  companies  that  include  a 
health  care  services  component  The  health  care  component  (whether  or  not 
separately  incorporated)  of  the  organization  would  be  the  covered  entity. 
Therefore,  any  movement  of  protected  health  information  into  another  component 
of  the  organization  would  be  a  "disclosiire,"  and  would  be  lawful  only  if  such 
disclosure  would  be  authorized  by  this  regulation.  In  addition,  we  propose  to 
require  such  entities  to  create  barriers  to  prevent  protected  health  information 
from  being  used  or  disclosed  for  other  activities  not  authorized  or  permitted  under 
these  proposed  rules,  (page  59951,  emphasis  added) 

The  above-quoted  passage  is  problematic  for  two  reasons.  First,  as  mentioned  above,  it  refers 
only  to  self-insured  employers  when  the  relevant  sections  of  HIPAA  (discussed  above)  make  no 
distinction  between  self-insured  plans  and  insured  plans.  Second,  it  is  included  in  a  section 
entitled  "Application  to  Covered  Entities  That  Are  Components  of  Organizations  That  Arc  Not 
Covered  Entities,"  but  there  is  no  section  of  the  proposed  rule  cited  here,  and  there  does  not 
appear  to  be  a  section  of  the  rule  to  which  this  discussion  clearly  relates.^ 

The  preamble  states  that  the  Department  considered  prohibiting  all  disclosures  to  employers 
without  individual  authorization,  or  alternatively  requiring  a  contract  relationship  similar  to  that 
required  for  business  partners,  both  of  which  options  it  rejected,  (page  59937)  The  correct 
approach,  and  the  one  required  by  HIPAA,  is  the  one  we  advocate  here:  treat  the  component  of 
every  employer  that  sponsors  a  covered  health  plan  as  a  covered  entity  that  is  subject  to  the  rule. 

It  is  not  necessary  to  prohibit  all  disclosures  to  employers,  nor  would  that  be  feasible  given  the 
employer's  role  in  establishing  the  health  plan  and  paying  premiums  and/or  claims.  But  by 
treating  the  health  care  component  of  an  employer  as  a  covered  entity,  subject  to  the  provisions 
of  the  rule,  the  employer  will  still  have  access  to  the  information  it  legitimately  needs,  while 
respecting  the  privacy  rights  of  employees.  Being  treated  as  a  covered  entity  does  not  mean  that 
all  uses  and  disclosures  are  disallowed,  but  strict  linuts  would  be  placed  on  how  information  is 
used  and  disclosed.  And  fire  walls  would  have  to  be  set  up  between  the  health  care  component 


^  Section  164.518(c)(3),  which  deals  with  administrative  requirements  and  safeguards,  including 
barriers  between  components  of  an  organization,  is  not  cited  in  this  part  of  the  preamble.  In  any 
event,  section  164.518(c)(3)  appears  to  deal  with  situations  where  the  organization  in  its  entirety 
is  a  covered  entity,  but  has  components  within  it  that  are  not  involved  in  health  care.  It  does  not 
seem  to  address  the  converse:  where  the  covered  entity  is  a  component  of  a  larger  entity  that 
itself  is  not  a  covered  entity. 
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of  the  employer  and  the  rest  of  the  organization,  thus  protecting  employees  from  unauthorized 
access  to  and  use  of  their  private  medical  information  by  others  within  the  organization. 

C.  Statement  of  Policy 

The  role  and  responsibilities  of  employers  that  sponsor  health  plans  are  outlined  below. 

(1)  When  an  employer  spronsors  an  ERISA  plan  that  is  a  covered  entity,  the  employer  consists  of 
a  component  that  is  a  covered  entity  within  a  larger  entity  that  itself  is  not  a  covered  entity.  This 
is  the  case  whenever  the  ERISA  plan  is  a  covered  entity,  not  just  when  the  employer  self  insures. 
This  means  that: 

(a)  the  health  care  component  must  comply  with  all  provisions  of  the  rule. 

(b)  there  must  be  fire  walls  erected  between  this  health  care  component  and  all 
other  components  of  the  organization. 

(c)  employees  who  work  within  the  health  care  component  must  be  empowered 
"to  deny  release  of  the  information  to  corporate  executives  and  managers  [outside 
the  health  care  component]  unless  required  for  health  plan  administration."  (See 
discussion  on  page  59992,  which  appears  to  relate  to  small  health  plans,  not  to 
other  types  of  employers  that  sponsor  health  plans.)  Where  non-identifiable  (or 
de-identified)  information  can  be  used,  it  must  be. 

(d)  information  cannot  be  disclosed  for  employment  purposes  without  individual 
consent,  as  is  required  by  section  164.508(aX2Xii)(E).  And  it  must  be  absolutely 
clear  that  the  employee  Icnows  that  he  or  she  can  refuse  to  authorize  disclosure 
without  penalty.  It  should  also  be  stated  (in  the  preamble)  that  this  does  not 
authorize  the  employer  to  request  or  use  protected  health  information  in  violation 
of  the  Americans  with  Disabilities  Act  (ADA). 

(2)  The  outside  HMO  or  insurance  company  must  comply  wiA  the  rule  in  its  dealings  with 
employers.  This  means  that: 

(a)  the  outside  HMO  or  insurance  company  is  permitted  to  disclose  to  the  health 
care  component  of  the  employer  only  the  minimum  amount  of  information 
necessary,  even  for  payment  purposes. 

(b)  where  non-identifiable  (or  de-identified)  information  can  be  used,  it  must  be. 

(c)  information  cannot  be  disclosed  to  the  employer  or  to  the  employer's  health 
care  component  for  employment  purposes  without  individual  consent,  as  is 
required  by  section  1 64.508(a)(2)(ii)(E).  And  it  must  be  absolutely  clear  that  the 
employee  knows  that  he  or  she  can  refiise  to  authorize  disclosure  without  penalty. 
It  should  also  be  stated  (in  the  preamble)  that  this  does  not  authorize  the 
employer  to  request  or  use  protected  health  information  in  violation  of  the  ADA. 

We  suggest  the  Secretary  make  the  following  changes  to  the  proposed  regulations. 

I .  Add  a  new  section  164.505: 

Section  164.505.  Application  to  a  covered  entity  that  is  a 
component  of  an  organization  that  is  not  a  covered  entity. 

(a)  General  requirement  -  A  covered  entity  that  is  a  component  of 
an  organization  that  is  not  a  covered  entity  must  comply  with  the 
provisions  of  this  part. 

(b)  Component  entity  that  is  a  health  plan.  An  example  of  a 
component  entity  that  is  a  health  plan  is  the  component  of  an 
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employer  that  sponsors  a  health  plan  that  itself  is  a  covered  entity 
(as  defined  in  section  160.103).  The  health  care  component  of 
such  an  employer  is  a  covered  entity  whether  the  health  plan  is 
insured  or  self-insured. 

(c)  Component  entity  that  is  a  health  care  provider.  Examples  of  a 
component  entity  that  is  a  health  care  provider  are  an  on-site  health 
clinic  operated  by  a  school,  an  on-site  clinic  operated  bv  an 
emplover.  and  a  school  nurse  that  is  employed  bv  or  under  contract 
with  a  school  or  school  system.  (To  be  treated  as  a  covered  health 
care  provider,  the  component  health  care  provider  would  have  to 
transmit  health  information  in  electronic  form  in  connection  with 
any  transaction  referred  to  in  section  1 1 73(a)(1)  of  the  Act.) 

2.  Change  section  1 64.5 1 8(c)(3)  to  ensure  that  appropriate  firewalls  are  set  up 
between  the  health  care  component  and  the  larger  organization: 

(3)  Implementation  specification:  Other  safeguards.  A  covered 
entity  must  have  safeguards  to  ensure  that  information  is  not  used 
in  violation  of  the  requirements  of  this  subpart  or  by  members  of 
its  woricforce  or  components  of  the  entity  or  employees  and  other 
persons  associated  with,  or  components  of,  its  business  parmers 
who  are  not  authorized  to  access  the  inforaiation.  In  addition,  a 
covered  entity  that  is  a  component  of  an  organization  that  is  not  a 
covered  entity  must  have  safeguards  to  ensure  that  information  is 
not  disclosed  to  the  larger  organization  in  violation  of  this  subpart. 

3.  Change  the  preamble  (page  5995 1 )  as  follows: 

In  this  section  we  describe  how  the  provisions  of  this  proposed  rule 
jqjply  to  persons  or  organizations  that  provide  health  care  or  have 
created  health  plans  but  are  primarily  engaged  in  other  unrelated 
.        activities.  Examples  of  such  organizations  include  schools  that 

operate  on-site  clinics,  employers  that  sponsor  health  plans  that  are 
covered  entities  who  operate  oolf  funded  heahh  plans,  and 
information  processing  companies  that  include  a  health  care 
services  component.  The  health  care  component  of  an  emplover 
may  consist  of  the  employer's  office  manager  if  that  is  the  person 
charged  with  managing  the  day-to-day  operation  of  the  health  plan 
or  may  consist  of  an  entire  department  charged  with  managing 
personnel  and  benefits  including  the  health  plan.  The  health  care 
component  (whether  or  not  separately  incorporated)  of  the 
organization  would  be  the  covered  entity.  Therefore,  any 
movement  of  protected  health  infomiiation  into  another  component 
of  the  organization  would  be  a  "disclosure,"  and  would  be  lawfiil 
only  if  such  disclosure  would  be  authorized  by  this  regulation.  In 
addition,  we  propose  to  require  such  entities  to  create  barriers  to 
prevent  protected  health  information  fix)m  being  used  or  disclosed 
for  other  activities  not  authorized  or  permitted  under  these 
proposed  rules.  For  health  care  components  of  employers,  these 
barriers  mean  that  employees  who  work  within  the  health  care 
component  must  be  empowered  to  deny  release  of  the  information 
to  corporate  executives  and  managers  outside  the  health  care 
component  unless  disclosure  is  required  for  health  plan 
administration  and  is  authorized  by  the  Act  and  this  subpart.  For 
health  care  components  of  organizations  such  as  schools,  these 
barriers  mean  that  people  who  work  within  the  health  care 
component  must  be  empowered  to  deny  release  of  the  information 
to  school  officials  and  others  outside  the  health  care  component 
unless  disclosure  is  required  for  uses  authorized  bv  the  Act  and  this 
subpart. 
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4.  Add  to  the  preamble  the  discussion  that  appears  above  in  section  A  (Employment 
based  health  plans  covered  by  HIPAA  and  this  proposed  rale)  and  the  discussion 
that  appears  in  section  C  (Statement  of  Pohcy). 

5.  Add  to  die  preamble  discussion  of  section  164.508  (Uses  and  Disclosures  With 
Individual  Authorization)  the  following  statement  to  clarify  section 
164.508(aX2Xii)(E): 

Section  164.508(a)(2)(iiVE).  which  requires  individual 
authorization  for  disclosure  to  an  employer  for  use  in  employment 
determinations,  does  not  authorize  employers  to  request  or  use 
information  in  violation  of  the  Americans  with  Disabihties  Act. 

These  comments  on  "Component  Entities"  have  been  endorsed  by  the  following  organizations: 

American  Association  of  People  with  Disabilities 
Association  of  Women's  Health,  Obstetric  and  Neonatal  Nurses 
Bazelon  Center  for  Mental  Health  Law 
Committee  for  Children 

Consortium  for  Citizens  with  Disabilities  Privacy  Working  Group 
Families  USA 

Federation  of  Families  for  Children's  Mental  Health 
Human  Rights  Campaign 
Justice  for  All 

Myositis  Association  of  America 
National  Association  of  People  With  AIDS 
National  Organization  for  Rare  Disorders 
National  Partnership  for  Women  and  FamiUes 
Privacy  Ri^ts  Clearinghouse 
Women's  Law  Project 

INDIVIDUAL  AUTHORIZATION 

ScctioB  164308       Uses  and  disclosares  for  which  Individual  authorization  is  required. 
SUMMARY 

We  si^port  the  regulations'  requirement  that  covered  entities  obtain  an  authorization  6mm  the 
individual  for  most  uses  and  disclosures  that  are  not  directly  related  to  treatment,  payment  or 
health  care  operations.  We  strongly  agree  with  the  regulation's  prohibiting  covered  entities  from 
conditioning  the  provision  of  treatment  or  payment  on  the  individual's  delivering  an 
authorization  for  use  or  disclosure.  Furthermore,  we  support  the  Secretary's  intent  that  uses  and 
disclosures  of  protected  health  infomiation  be  consistent  with  the  purposes  stated  in  the 
authorization,  and  we  suggest  that  the  regulations  be  revised  to  expressly  provide  that  a  covered 
entity  and  its  business  partners  may  use  or  disclose  protected  health  information  only  for  the 
purpose  specified  in  the  authorization.  We  also  recommend  that  covered  entities  be  required  to 
obtain  individual  authorization  prior  to  making  cotain  disclosures  of  information  pertaining  to 
an  individual's  request  or  receipt  of  sensitive  health  services. 

1.     INDIVroUAL  AUTHORIZATION  FOR  PURPOSES  OTHER  THAN  TREATMENT 
PAYMENT  OR  HEALTH  CARE  OPERATIONS 

Recommendation : 

We  encourage  the  Secretary  to  retain  provisions  of  the  proposed  regulations  that  require  covered 
entities  to  obtain  an  authorization  from  individuals  for  most  uses  and  disclosures  of  protected 
health  information  that  are  not  directly  related  to  treatment,  payment,  or  health  care  operations. 

Rationale: 

We  agree  with  the  Secretary  that  most  individuals  do  not  anticipate  many  other  uses  of  their 
health  information,  such  as  marketing  purposes,  when  they  obtain  health  care.  Furthermore, 


144 


information  which  is  being  xised  or  disclosed  for  purposes  other  than  the  core  health-related 
purposes  is  more  likely  to  end  up  in  the  hands  of  entities  that  are  not  subject  to  the  protections 
afforded  by  the  regulations.  Thus,  it  is  appropriate  that  the  individual  be  both  notified  and 
consent  to  the  potential  use  and  disclosure  of  protected  health  information  for  these  purposes. 
The  requirement  for  individual  authorization  for  uses  of  health  information  not  directly  related  to 
the  care  of  the  patient  is  supported  by  state  law.  See  1999  Cal  Stats,  ch.  526  sec.  2  (generally 
requiring  a  patient's  authorization  for  sharing,  selling  or  using  medical  information  for  any 
purpose  not  necessary  to  provide  health  care  services  to  the  patient);  Haw.  Rev.  Stat  Sec.  323C- 
23  (requiring  a  separate  authorization  for  disclosures  of  health  information  other  than  for 
treatment,  payment  or  qualified  health  care  operations  purposes). 

2.     PROfflBITION  ON  CONDITIONING  TREATMENT  OR  PAYMENT  ON 
AUTHORIZATION  . 

Recommendation : 

We  strongly  support  the  regulation's  prohibition  on  covered  entities  fitsm  conditioning  the 
provision  of  treatment  or  payment  on  the  individual's  authorization  for  use  or  disclosure  of 
protected  health  infomiation. 

Rationale: 

Covered  entities  should  not  be  allowed  to  coerce  individuals  into  signing  authorizations  for 
disclosures  that  are  not  necessary  for  treatment,  payment  or  health  care  operations.  Recognizing 
this  potential  abuse,  California  prohibited  such  coercive  activities  in  its  recent  amendments  to  the 
Confidentiality  of  Medical  Infonnation  Act.  See  1999  Cal.  Stats,  ch  526  sec.  9  (prohibiting 
providers  and  plans  from  conditioning  the  receipt  of  health  care  services  on  the  individual's 
signing  an  authorization  or  release  of  medical  information). 

3.  USE  AND  DISCLOSURE  SHOULD  BE  LIMITED  TO  THE  PURPOSE 
SPECIFIED  IN  THE  AUTHORIZATION 

Recommendation : 

The  regulations  should  expressly  provide  that  a  covered  entity  and  its  business  partners  may  only 
use  or  disclose  protected  health  infonnation  for  the  purpose  specified  in  the  authorization. 

Rationale: 

Under  the  proposed  regulations,  when  a  covered  entity  asks  an  individual  to  sign  an 
authorization,  it  must  provide  on  the  authorization  form  a  statement  that  identifies  the  purposes 
for  which  the  infonnation  is  sought.  The  preamble  states  that  "[c]overed  entities  and  their 
business  partners  would  be  bound  by  the  statements  provided  on  the  authorization,  and  use  or 
disclosure  by  the  covered  entity  inconsistent  with  the  statement  would  constitute  a  violation  of 
tiiis  regulation."  It  appears  that  this  intended  requirement  was  not  incorporated  in  the  actual  text 
of  the  regulations. 

Section  164.506(a)(l)(ii)  generally  provides  that  a  covered  entity  is  permitted  to  use  or  disclose 
an  individual's  protected  health  infonnation  -  pursuant  to  an  authorization  by  the  individual  that 
complies  with  section  164.508,  but  does  not  expressly  impose  a  requirement  that  the  covered 
entity  use  or  disclose  the  information  solely  in  accordance  with  the  purposes  stated  in  the 
authorization.  Neither  does  section  164.508  have  such  an  express  requirement  In  order  to  avoid 
any  possible  ambiguity,  we  suggest  that  the  regulations  expressly  provide  that  covered  entities 
and  their  business  partners  may  only  use  or  disclose  protected  health  information  for  the  purpose 
specified  in  the  authorization. 

4.  SEPARATE  AUTHORIZATION  FOR  SPECIFIC  DISCLOSURES  OF 
PROTECTED  HEALTH  INFORMATION  INVOLVING  SENSITIVE  HEALTH 
CARE  SERVICES 

Recommendation : 

The  regulations  should  require  a  covered  entity  to  protect  against  inadvertent  disclosures  of 
protected  health  information  concerning  sensitive  health  care  services  (defined  as  services 
relating  to  reproductive  health,  sexually  transmitted  diseases,  substance  abuse,  and  mental 
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health)  by  obtaining  the  individual's  authorization  prior  to  communicating  with  the  individual  (or 
the  policyholder)  at  the  individual's  home  (whether  by  phone  or  by  mail). 

Radoaale: 

Individuals  seeking  sensitive  health  care  services  have  a  heightened  concern  that  information 
about  their  medical  condition  or  treatment  may  be  inadvertently  disclosed  to  others  in  their 
household,  such  as  roommates,  house  mates,  or  family  members  (including  parents  in  situations 
where  a  minor  lawfully  obtains  a  health  care  service  without  the  consent  of  or  notice  to  the 
parent).  Disclosures  could  be  made  inadvertently  by  health  care  providers  or  health  plans  when 
they  attempt  to  conununicate  with  the  individual  by  mail  or  telephone  to  the  individual's  home, 
including  the  mailing  of  explanation  of  benefits  (EOB)  forms  or  bills  to  the  individual  or  to  the 
policyholder  who  is  a  family  member  of  the  individual  (usiially  a  spouse  or  parent).  For 
example,  a  therapist's  ofiBce  might  leave  a  mess^e  on  the  home  message  machine  to  remind  a 
patient  of  an  upcoming  appointment  and  that  message  could  be  heard  by  anyone  who  resides  in 
that  household.  A  young  woman  who  has  seen  the  family's  regular  doctor  for  advice  about 
family  plarming  services  might  come  home  to  find  that  a  bill  or  EOB  has  been  sent  to  her  or  even 
to  her  parents  even  though  the  minor  has  lawfully  obtained  those  services  without  involving  her 
parent  These  types  of  communications  can  seriously  compromise  the  privacy  of  an  individual 
and  may  even  deter  the  individual  fi-om  seeking  needed  medical  treatment. 

To  avoid  such  inadvertent  disclosures,  a  covered  entity  should  be  required  to  obtain  the 
individual's  authorization  prior  to  commimicating  with  the  individual  at  the  individual's  home 
(whether  by  phone  or  by  mail)  whenever  the  individual  seeks  or  obtains  sensitive  health  care 
services.  That  authorization  should  specifically  ask  whether  the  provider  or  plan  can  call  the 
individual  at  home,  send  communications  via  mail  to  the  individual's  home,  or  send  bills  or  EOB 
forms  to  the  individual's  home.  If  the  individual  does  not  authorize  communications  such  as 
these,  the  individual  should  provide  on  the  authorization  form  a  phone  number  or  an  address  for 
such  communications  and  must  indicate  how  payment  will  be  arranged  if  payment  is  due. 

We  therefore  recommend  the  following  changes  to  ensure  that  providers  and  plans  do  not 
inadvertently  disclose  information  to  household  or  family  members  about  sensitive  health  care 
services: 

( 1 )  Amend  section  164.506(aXl  Ki)  as  follows: 

(I)  Permitted  uses  and  disclosures.  A  covered  entity  is  permitted 
to  use  or  disclose  protected  health  information  as  follows: 

(i)  Except  for  research  information  unrelated  to  treatment^  aad 
psychoAerapy  notes,  and  information  about  sensitive  health  care 
services  as  set  out  in  section  164.508(a¥3¥i)(C).  to  carry  out 
treatment,  payment,  or  health  care  operations. 

(2)  Add  a  new  subsection  164.508(a)(3XiKQ: 

fO  Disclosure  of  infomiation  pertaining  to  an  individual's  request  or  receipt  of  sensitive 
health  care  services  through  phone  or  mail  communications  to  the  individnal's  home^ 
including  mailing  appointment  notices,  calling  the  home  to  confirm  or  schedule 
appointments,  mailing  a  bill  or  explanation  of  benefits  form  to  the  individual's  home 
(whether  addressed  to  the  individual  or  to  a  family  member  who  is  the  policyholder).  If 
the  individual  does  not  authorize  the  covered  entity  to  communicate  with  the  individual 
in  these  ways,  the  covered  entity  may  ask  the  individual  to  provide  a  phone  number  or  an 
address  for  such  communications  and  may  require  the  individual  to  indicate  how  payment 
will  be  arranged  if  payment  is  due. 

(3)  Add  a  new  subsection  164.508(aV3¥ivVCl: 

Sensitive  health  care  services  means  services  relating  to 
reproductive  health,  sexually  transmitted  diseases, 
substance  abuse,  or  mental  health. 
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These  comments  on  "Individual  Authorization"  have  been  endorsed  by  the  following 
organizations: 

American  Association  of  People  with  Disabihties 
Association  of  Women's  Health,  Obstetric  and  Neonatal  Nurses 
Bazelon  Center  for  Mental  Health  Law 
Center  for  Reproductive  Law  and  Policy 
Conraiittee  for  Children 

Consortium  for  Citizens  with  Disabilities  Privacy  Working  Group 
Families  USA 

Federation  of  Families  for  Children' s  Mental  Health 
Human  Rights  Campaign 
Justice  for  All 

Myositis  Association  of  America 
National  Association  of  People  With  AIDS 
National  Organization  for  Rare  Disorders 
National  Partnership  for  Women  and  Families 
Privacy  Rights  Clearinghouse 
Women's  Law  Project 

HEALTH  OVERSIGHT 

Section  164.510(c)    Disclosures  and  uses  for  health  oversight  activities. 
Recommendatioii: 

We  are  deeply  concerned  that  the  health  oversight  section  contains  too  few  limits  on  access  and 
reuse  of  protected  health  information.  We  urge  that  the  final  regulation  include  a  bar  on  the  re- 
use and  re-disclosure  of  protected  health  information  in  actions  against  individuals.  Or,  if  the 
Secretary  believes  she  is  limited  by  the  delegation  of  authority  in  HIPAA,  we  urge  the  Executive 
Branch  to  issue  an  Executive  Order  barring  such  re-uses  and  re-disclosures.  Such  a  limit  is 
essential  to  ensure  that  the  relatively  easy  access  afforded  to  health  oversight  officials  does  not 
become  the  back-door  for  law  enforcement  access. 

We  believe  it  is  critical  for  the  Secretary  to  clearly  distinguish  between  law  enforcement  access 
and  access  to  conduct  health  oversight  activities.  In  addition,  we  recommend  that  the  Secretary- 
either  through  Executive  Order  or  in  this  regulation-  require  health  oversight  officials  to  justify 
their  need  for  identifiable  health  information. 

Rationale: 

Nearly  every  federal  legislative  proposal  pending  on  health  privacy  includes  a  provision  that  bars 
health  oversight  agencies  fi-om  using  the  information  they  gain  in  any  imrelated  action  against 
individxials.  The  policy  goal  underlying  this  limitation  is  to  achieve  the  goal  of  allowing 
government  officials  unfettered  access  to  the  records  of  health-related  entities  to  investigate 
fraud  and  abuse,  while  safeguarding  individual  privacy.  The  stated  justification  for  such  access 
has  been  that  the  targets  of  oversight  activities  are  usually  not  individual  patients,  but  providers 
and  payers.  It  is  critical  here  to  create  a  legal  limit  that  erects  a  wall  between  health  oversight 
activities  and  law  enforcement  investigations.  To  do  otherwise  would  severely  undermine  the 
Administration's  stated  goal  of  limiting  law  enforcement  access  to  identifiable  health 
information. 

Beyond  the  scope  of  the  Secretary's  authority  in  this  regulation,  we  believe  the  Executive  Branch 
is  empowered  to  issue  an  Executive  Order  barring  the  re-use  and  redisclcsure  of  protected  health 
information  obtained  piusuant  to  oversight  Such  an  order  would  establish  legally  enforceable 
limits  directly  on  the  federal  employees  charged  with  executing  health  oversight  responsibiUties. 

We  are  especially  concerned  by  commentary  in  the  proposed  regulation  that  "agencies  that 
conduct  both  oversight  and  law  enforcement  activities  would  be  subject  to  this  provision 
[oversight]  when  conducting  oversight."  Again,  without  a  limit  on  reuse  and  redisclosure, 
nothing  in  this  proposal  prohibits  law  enforcement  officials  from  gaining  unfettered  access  to 
protected  health  information  fix>m  oversight  officials,  although  they  would  be  subject  to 
procedural  limits  if  seeking  records  solely  under  the  law  enforcement  section.  Oiu- 
recommendation  is  intended  to  close  the  loop  with  a  more  airiight  policy  that  distinguishes 
between  the  various  roles  government  officials  play  in  the  health  care  arena.  While  a  bar  on 
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using  protected  health  infonnation  in  actions  against  individuals  is  an  essential  safeguard,  we 
also  urge  that  the  final  regulation  require  oversi^t  officials  to  document  their  need  for  access  to 
information  for  a  ^)ecified,  autiMxized  oversigfat  purpose.  Such  a  requirement  would  build  in  a 
cracial  layer  of  accountability. 


These  comments  on  "Health  Oversight"  have  been  endorsed  by  the  following  organizations: 

American  Association  of  People  with  Disabilities 
Association  of  Women's  Health,  Obstetric  and  Neonatal  Nurses 
Bazelon  Cento-  for  Mental  Health  Law 
Committee  for  Children 

Consortium  for  Citizens  with  Disabilities  Privacy  Working  Groi^ 
Families  USA 

Federation  of  Families  for  Children's  Mental  Health 
Human  Rights  Campaign 
Justice  for  All  \. 
Myositis  Association  of  America 
National  Association  of  People  With  AIDS 
National  Organization  for  Rare  Disorders 
National  Partnership  for  Women  and  Families 
Privacy  Rights  Clearin^ouse 
Women's  Law  Project 

JUDICIAL  AND  ADMBSISTRATIVE  PROCEEDINGS 

Section  164^10(d)     Disclosures  and  uses  for  judicial  and  administrative  proceedings. 

SUMMARY 

We  are  generally  pleased  with  the  way  the  Department  has  handled  disclosiu-es  in  judicial  and 
administrative  proceedings  requiring  court  orders.  In  particular,  we  dpprcciate  the  Secretary's 
approach  in  section  164.510(dXl)  which  limits  disclosures  of  {m>tected  health  infonnation  to 
cases  where  parties  have  obtained  a  court  or  administrative  order.  However,  we  are  very 
concerned  with  the  loophole  allowing  disclosure  of  protected  health  information  solely  on  the 
basis  of  a  letter  from  an  attorney  without  any  notice  to  the  person  whose  records  are  subpoenaed. 
We  are  concerned,  however,  that  there  is  still  the  potential  for  real  damage  to  individuals  because 
the  rule  does  not  go  ^  enough  to  establish  proper  limits  with  regard  to  judicial  and 
administrative  proceedings.  We  therefore  suggest  that  ttic  following  changes  be  made: 

1 .  Specify  minimum  Lnfomiation  that  must  be  included  in  court  and  administrative 
orders  requiring  disclosure  of  protected  health  information; 

2.  Specify  that  disclosures  not  pursuant  to  a  court  order  must  be  limited  to  the 
amount  reasonably  necessary  to  respond  to  the  subpoena;  and 

3.  Provide  that  covered  entities  may  not  disclose  information  unless  the  individual 
who  is  the  subject  of  the  infonnation  or  the  individual's  representative  has  had  a 
reasonable  opportunity  to  object  to  the  disclosure. 

1.       COURT  ORDERS 
Recommendation : 

While  we  agree  with  the  Secretary's  general  ^proach  relating  to  court  orders,  we  are  concerned 
that  the  proposed  rule  does  not  go  far  enough  to  set  forth  basic  information  that  should  be 
included  in  court  and  administrative  orders  requiring  the  disclosiue  of  protected  health 
information.  While  we  recognize  that  there  must  be  a  balance  between  protecting  information 
and  allowing  litigants  access  to  information,  we  do  not  pn^se  to  change  the  standards  by  which 


148 


judicial  and  administrative  orders  are  issued.  We  do  propose,  however,  that  orders  include 
minimum  information  to  guide  those  disclosing  protected  health  information  and  to  notify  those 
receiving  information  that  the  information  cannot  be  used  or  disclosed  for  other  purposes.  While 
we  recognize  that  the  proposed  rule  will  apply  to  a  broad  spectrum  of  judicial  and  administrative 
proceedings  and  that  different  federal  and  state  courts  and  administrative  tribunals  may  issue 
orders  that  vary  greatly  in  content,  we  believe  that  specifying  what  information  must  be  included 
in  orders  would  be  consistent  with  different  practices  and  the  Secretary's  policy  of  limiting 
disclosure  of  protected  health  information.  At  a  minimum,  court  and  administrative  orders 
should  1)  provide  that  the  protected  health  information  is  subject  to  court  protection;  2)  state  the 
nature  of  the  information  to  be  disclosed,  and  to  the  extent  practicable,  identify  specific 
information  to  be  disclosed;  3)  specify  to  whom  the  mformation  may  be  disclosed;  4)  specify 
that  such  information  may  not  otherwise  be  used  or  disclosed;  and  5)  meet  any  other 
requirements  that  the  court  or  tribunal  determines  are  needed  to  protect  the  confidentiality  of  the 
information. 

We  recommend  the  following  changes: 

Add  a  new  subsection  (4)  to  section  164.510(d)  as  follows: 

(4)      Court  and  administrative  orders.  An  order  requiring  disclosure  of 
individually  identifiable  health  information  shall— 

a)  provide  that  the  protected  health  information  involved  is  subject  to  court 
protection: 

b)  state  the  nature  of  the  information  to  be  disclosed,  and  to  the  extent  practicable, 
identify  specific  information  to  be  disclosed: 

c)  specify  to  whom  the  information  mav  be  disclosed: 

d)  specify  that  such  information  may  not  otherwise  be  used  or  disclosed:  and 

e)  meet  any  other  requirements  that  the  court  determines  are  needed  to  protect  the 
confidentiality  of  the  information. 

Rationale: 

We  believe  that  specifying  what  information  must  be  included  in  court  orders  is  necessary  to 
adequately  enforce  section  164.510(d)(3)(i)-which  requires  that  covered  entities  disclosing 
information  only  disclose  that  information  which  is  authorized  by  the  order.  Without  clearly 
stating  what  must  be  included  in  orders,  the  Secretary's  abihty  to  enforce  this  section  would  be 
Umited. 

Also,  without  this  information,  entities  required  to  disclose  information  would  be  more  likely  to 
disclose  irrelevant  and  uimecessary  information  in  response  to  vague  and  ambiguous  orders 
rather  than  risk  sanctions  for  not  disclosing  information.  We  do  not  believe  that  including  this 
information  would  impose  undue  burdens  on  courts,  administrative  tribunals  or  private  litigants 
because  parties  often  times  are  able  to  articulate  either  specific  documents  or  the  nature  of  the 
documents  requested.  This  information  can  easily  be  incorporated  into  court  and  administrative 
orders.  While  we  recognize  that  in  many  cases  parties  may  not  be  able  to  identify  specific 
documents,  orders  should  be  sufficiently  clear  to  limit  disclosure  to  only  that  information  the 
court  deems  necessary  to  meet  the  request,  and  if  practicable,  should  state  specific  information. 
Several  of  the  bills  introduced  in  the  106th  Congress  include  similar  provisions.  See  S.  578 
(Jeffords/Dodd);  S.  881  (Bennett);  H.R.  2470  (Greenwood). 

2.        DISCLOSURES  NOT  PURSUANT  TO  COURT  OR  ADMINISTRATIVE 
ORDERS 

Recommendation: 

We  applaud  the  Secretary's  efforts  in  section  164.5lO(dX3Xi)  to  limit  disclosures  pursuant  to 
court  and  administrative  orders  to  only  that  protected  health  information  authorized  to  be 
disclosed  in  the  order.  However,  the  Secretary  does  not  have  similar  protections  for  disclosures 
injudicial  and  administrative  proceedings  that  arc  not  pursuant  to  court  or  administrative  orders. 
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See  section  164.510(dK3)(ii).  We  believe  that  only  infonnation  reasonably  necessary  to  respond 
to  a  subpoena  should  apply  to  requests  when  courts  and  administrative  tribunals  have  not 
reviewed  or  ordered  disclosure  of  protected  health  information.  While  we  recognize  that  it  may 
sometimes  be  difdcult  for  parties  responding  to  requests  to  determine  exactly  what  information 
the  requesting  party  seeks,  the  holder  of  the  protected  health  information  should  not  have  blanket 
authority  to  disclose  all  protected  health  information-only  that  information  which  is  reasonably 
necessary  to  respond  to  the  subpoena  should  be  disclosed. 

We  recommend  the  following: 

Add  a  new  subsection  (3)(iii)  to  section  164.510(d)  as  follows: 

(3)  Ciii)  Where  a  party  has  subpoenaed  protected  health  information  not  accompanied  by  a  court 
order,  the  covered  entity  may  only  disclose  that  protected  health  infomiation  which  is  reasonably 
necessary  to  respond  to  the  subpoena,  and  may  not  disclose  information  about  third  parties. 

Rationale: 

Not  limiting  the  amount  of  information  which  can  be  disclosed  raises  significant  concerns  when 
the  protected  health  information  of  third  parties  is  included  in  the  medical  record  of  another 
person.  For  example,  parmers  of  HTV  positive  individuals  may  have  their  protected  health 
infonnation  unnecessarily  disclosed  if  the  HTV  positive  individual  reported  his  or  her  partner's 
name  to  his  or  her  own  physician.  Disclosure  could  occur  under  a  number  of  scenarios, 
including  a  subpoena  in  a  personal  injury  lawsuit  where  the  HIV  positive  individual's  medical 
condition  is  at  issue.  While  some  providers,  plans  or  parties  may  choose  to  redact  the 
information  pertaining  to  third  parties,  some  may  not-thereby  disclosing  sensitive  personal 
infonnation.  In  order  to  prevent  these  types  of  disclosures,  we  recommend  that  the  Secretary 
limit  disclosures  without  a  court  or  administrative  order  to  that  information  reasonably  necessary 
to  respond  to  a  subpoena.  We  also  note  that  without  changes  to  the  other  parts  of  the  section 
these  protections  will  frequently  be  bypassed. 

3.       REASONABLE  OPPORTUNITY  TO  OBJECT 
Recommendation: 

The  proposed  rule  does  not  require  that  an  individual  whose  protected  health  information  has 
been  subpoenaed  be  notified.  Under  the  proposed  rule,  individuals  would  have  an  opportunity  to 
object  to  the  disclosure  only  if  the  applicable  state  or  federal  law  provides  notice  and  opportunity 
to  object.  While  we  recognize  that  many  federal  and  state  statutes  likely  permit  litigants  to 
object  through  private  counsel  to  discovery  requests  propounded  by  opposing  parties,  some 
states  may  not  We  believe  that  a  federal  notice  and  reasonable  opportunity  to  object  provision 
would  afford  this  minimiun  level  of  protection. 

We  recommend  that  the  Secretary  include  a  provision  prohibiting  disclosure  of  protected  health 
information  unless  the  individual  who  is  the  subject  of  the  information  has  had  1)  reasonable 
notice  of  the  subpoena  and  2)  reasonable  opportunity  to  move  the  court,  or  other  presiding 

ofScial,  to  qtiash  the  subpoena  on  the  basis  that  the  individual's  privacy  interest  outweighs  the 
interest  of  die  person  seeking  the  information.  Many  of  the  bills  introduced  in  the  106th 
Congress  have  similar  requirements.  See,  S.  578  (Jeffords/  Dodd);  S.  881  (Bennett);  S.  573 
(Kennedy/Leahy);  H.R.  1941  (Waxman/Condit);  and  H.R.  2470  (Greenwood). 

We  recommend  the  following: 

Add  a  new  subsection  (5)  to  section  164.510(d)  as  follows: 

(5)       Reasonable  Notice  and  Opportunity  to  Object.  Where  a  subpoena  for 
disclosure  is  not  accompanied  by  a  court  order,  a  covered  entity  may  not  disclose 
individually  identifiable  health  infonnation  unless  the  individual  who  is  the 
subject  of  the  information  has  had  —  (i)  reasonable  notice  of  the  subpoena  and 
(ii)  a  reasonable  opportunity  to  move  the  court  or  other  presiding  official,  to 
quash  the  subpoena  on  the  basis  that  the  intj^vidual's  privacy  interest  outweighs 
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the  interest  of  the  person  seeking  the  information,  tatang  into  consideration  the 
heightened  importance  of  protecting  information  regarding  sensitive  medical 
conditions. 

Rationale: 

While  we  recognize  that  holders  of  protected  health  information  may  argue  that  this  reqiiirement 
is  burdensome,  states  such  as  California  ah-eady  have  similar  requirements.  See  California  Code 
of  Civil  Procedure  Sec.  1985.3(b).  Parties  requesting  the  information  would  ultimately  be 
responsible  for  ensuring  that  individuals  who  are  the  subject  of  the  information  are  notified  of 
the  subpoena.  Entities  holding  the  information  would  not  be  required  to  perform  any  additional 
task  other  than  request  a  copy  of  the  proof  of  service  to  the  notice  sent  to  the  individual  who  is 
the  subject  of  the  information. 

These  comments  on  "Judicial  and  Administrative  Proceedings"  have  been  endorsed  by  the 
following  organizations: 

American  Association  of  People  with  Disabilities 
Association  of  Women's  Health,  Obstetric  and  Neonatal  Nurses 
Bazelon  Center  for  Mental  Health  Law 
Committee  for  Children 

Consortium  for  Citizens  with  Disabilities  Privacy  Working  Groi^) 
Families  USA 

Federation  of  Families  for  Children's  Mental  Health 
Human  Rights  Campaign 
Justice  for  All 

Myositis  Association  of  America 
National  Association  of  People  With  AIDS 
National  Organization  for  Rare  Disorders 
National  Partnership  for  Women  and  Famili« 
Privacy  Rights  Clearinghouse 
Women's  Law  Project 

LAW  ENFORCEMENT 

Section  164^1 0(f)     Disclosures  for  law  enforcement  purposes. 
SUMMARY 

We  object  strongly  to  the  proposed  limits  on  law  enforcement  access  to  protected  health 
information.  We  do  acknowledge  the  positive  shift  in  the  Administration's  approach  from  its 
recommendations  submitted  to  the  Congress  in  1997.  Nevertheless,  we  continue  to  advocate  for 
a  legally  enforceable  limit  that  accomplishes  two  goals: 

♦  The  requirement  that  law  enforcement  ofiGcials  obtain  legal  process  issued  by  a  neutral 
magistrate,  and 

♦  A  requirement  that  the  legal  process  issue  only  after  the  magistrate  has  applied  a  strong 
legal  standard  in  weighing  the  request. 

In  our  view,  neither  of  these  goals  are  met  in  this  proposed  regulation.  We  urge  that  the  final 
regulation  require  law  enforcement  to  obtain  legal  process  —  such  as  a  warrant  or  court  order  — 
.  that  is  judicially-approved  after  application  of  a  Fourth  Amendment  probable  cause  standard. 
Only  with  these  two  requirements  in  place  can  we  ensure  that  an  individual's  most  fimdamental 
privacy  rights  are  guaranteed. 

Not  only  is  this  the  right  approach  for  the  protection  of  medical  records,  it  is  the  approach 
CTibedded  in  the  federal  privacy  statutes  protecting  peoples'  communications,  cable  subscriber 
records,  and  even  video  rental  lists.  These  federal  privacy  laws  require  law  enforcement  to 
comply  with  constitutionally-based  procedures  prior  to  obtaining  access  to  the  protected 
information-  None  of  these  laws  act  as  an  absolute  bar  to  law  enforcement  access;  quite  the 
contrary.  The  procedural  safeguards  provide  a  fimdamental  buffer  of  accountability  and 
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oversight  to  ensure  that  goveraniCTt  ofBcials  do  not  abuse  their  authority,  or  overreach  into  a 
citizen's  private  realm  without  sufficient  justification.  Such  limits  on  government  action  fonn  the 
bedrock  of  our  constitutional  government,  and  reflect  the  first  principles  on  which  this  country 
was  founded 

We  do  not  dispute  law  enforcement's  stated  need  for  protected  health  information  in  certain 
circimistances.  However,  law  enforcement  has  failed  to  meet  its  burden  to  justify  such  a 
sweeping  exception  from  accepted  Fourth  Amendment  safeguards.  The  case  has  not  been  made 
that  requiring  judicial  process  would  be  so  burdensome  as  to  significantly  interfere  with 
investigations.  In  fact,  we  are  unaware  that  law  enforcement  efforts  have  been  impeded  by  the 
requirements  in  other  federal  privacy  laws,  or  by  the  limits  placed  on  law  enforcement  access  to 
medical  records  by  a  number  of  state  laws.  In  our  report  The  State  of  Health  Privacy:  An  Uneven 
Terrain,  we  note  that  a  number  of  states  require  law  enforcement  to  obtain  judicial  process  prior 
to  receiving  personal  health  information  from  certain  health  care  aitities. 

1.  NEUTRAL  MAGISTRATE 
Reconameadatioo : 

The  regulations  should  prohibit  disclosures  unless  law  enforcement  has  obtained  legal  process  by 
a  neutral  magistrate. 

Rationale: 

Nodiing  in  the  draft  regulation  requires  law  enforcement  to  obtain  legal  process  issued  by  a 
neutral  magistrate.  In  fact,  the  proposal  lays  out  a  Chinese  menu  of  options  for  law  enforcement 
to  choose  from,  ranging  form  a  warrant  or  order  (judicially-issued)  to  an  administrative  subpoena 
or  civil  investigative  demand  (which  can  be  drafted  and  issued  internally,  without  judicial 
approval).  The  danger  here  is  that  law  enforcement  officials  are  given  firee  reign  to  always 
choose  the  least  protective  process,  one  that  requires  no  neutral  judicial  review  of  the  merits  of 
die  request 

We  believe  that  the  final  regulation  should  codify  existing  good  practice  and  pohcy  of  both  law 
enforcement  and  health  care  organizations.  For  instance,  health-related  associations  have  adopted 
strong  policies  that  require  law  enforcement  to  present  a  judicially-approved  legal  process  prior 
to  receiving  a  patient's  records.  See  for  instance,  the  policies  and  guidelines  of  the  American 
Medical  Association,  the  American  Hospital  Association,  the  American  Health  Information 
Management  Association,  and  the  similar  positions  taken  by  an  array  of  health  plans  and 
research  organizations. 

We  urge  that  this  section  be  narrowed  to  eliminate  the  legal  process  options  that  do  not  require 
judicial  review. 

2.  LEGAL  STANDARD 
Recommendation: 

The  three-pronged  standard  for  issuing  the  administrative  processes  should  be  strengthened  and 
balanced.  In  addition,  without  the  requirement  of  judicial  review,  there  is  no  assurance  that  the 
standard  will  be  applied  in  an  objective  and  fair  manner. 

Rationale: 

We  urge  that  the  proposed  regulation  be  strengthened  to  require  that  a  Fouitii-Amendment, 
probable  cause  standard  be  applied  by  a  judicial  officer.  We  urge  that  the  proposed  standard  be 
replaced  with  the  standard  currently  in  force  in  the  Video  Privacy  Protection  Act  of  1988,  which 
mandates  that  law  enforcement  can  only  obtain  access  to  an  individual's  video  rental  information 
after  obtaining  a  warrant  or  court  order  upon  a  "showing  of  compelling  need  of  the  need 
information  that  can  not  be  accommodated  by  any  other  means.**  (18  U.S.C.  2710).  Similarly,  the 
Cable  Communications  Policy  Act  of  1984  requires  law  enforcement  to  obtain  a  court  order  after 
a  judicial  officer  has  determined  there  is  clear  and  convincing  evidence  that  the  subject  of  the 
information  is  reasonably  suspected  of  engaging  in  criminal  activity,  and  the  information  would 
be  material  to  the  case.  (47  U.S.C.  551).  In  addition,  the  Federal  Educational  Rights  Privacy  Act 
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of  1968,  the  Electronic  Communications  Privacy  Act  of  1986,  and  the  Privacy  Protection  Act  of 
1980  (press  records)  all  require  law  enforcement  to  obtain  judicial  process,  such  as  a  warrant  or 
court  order,  based  on  a  strong  standard.  In  fact,  over  time,  the  Congress  has  imposed  more 
stringent  limits  on  law  enforcement  access  to  individuals'  records. 

We  believe  that  the  federal  law  protecting  the  privacy  of  health  information  should  be  just  as 
strong,  if  not  stronger,  than  the  protections  for  cable  and  video  records.  Medical  records  contain 
some  of  the  personal  and  sensitive  information,  and  the  misuse  of  peoples'  medical  information 
can  lead  to  loss  of  jobs  and  benefits,  discrimination,  embarrassment,  and  other  harms.  At  issue 
here  is  that  people  are  more  reluctant  to  seek  care,  and  fully  participate  in  their  own  care,  when 
inadequate  privacy  protections  are  in  place. 

3.       "LIMITED  IDENTIFYING  INFORMATION" 
Recommendation: 

The  proposal  to  allow  disclosures  of  "limited  identifying  information"  is  an  unjustified 
exception  to  the  legal  process  requirement  that  creates  the  opportunity  for  law  enforcement  to 
engage  in  fishing  expeditions  in  attempts  to  gather  enough  information  to  support  the  issuance  of 
legal  process. 

Rationale: 

We  are  particularly  opposed  to  the  exception  that  permits  disclosures  for  the  purpose  of 
identifying  suspects  and  fugitives.  We  urge  that  the  "limited  identifying  information"  section  be 
deleted,  or  at  minimum,  that  the  exception  for  access  to  information  on  suspect's  be  deleted. 


4.  NATIONAL  SECURITY  EXCEPTION 
Recommendation: 

The  proposal's  national  security  exceptions  are  too  sweeping,  and  should  be  narrowed  to 
reflect —  at  minimum  —  the  status  quo  limits  on  law  enforcement  access  for  inteUigence  and 
national  security  activities. 

Rationale: 

Current  law  provides  special  procedures  for  intelligence  gathering  activities,  but  there  is  no 
precedent  in  the  federal  law  for  such  a  blanket  exemption  from  lawful  process  for  agencies 
engaged  in  domestic  law  enforcement.  We  are  concerned  that  under  the  proposed  regulations, 
the  Secret  Service  could  demand  the  complete  medical  records  of  all  individuals  receiving 
mental  health  services  without  first  demonstrating  that  any  particular  individual  poses  a  threat  to 
a  protectee.  Again,  we  urge  that  law  enforcement  officials  engaged  in  national  security  and 
intelligence  activities  be  required  to  demoristrate  their  need  for  a  particular  person's  protected 
health  information  prior  to  receiving  access. 

5.  NOTICE 
Recommendation: 

We  urge  that  the  final  regulations  include  a  requirement  that  individual's  receive  notice  of 
proposed  searches  and  an  opportunity  to  contest  the  search.  Such  safeguards  are  built  in  to 
existing  federal  privacy  statutes,  such  as  The  Right  To  Financial  Privacy  AcL 

Rationale: 

Notice  and  the  opportunity  to  contest  are  fimdamental  procedural  safeguards  diat  would  help 
ensure  fairness  and  balance.  As  with  these  other  laws,  if  law  enforcement  demonstrates  that 
notice  to  individuals  would  give  rise  to  the  risk  of  flight  or  destruction  of  records,  a  waiver  of  the 
notice  requirement  could  be  permitted. 
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These  comments  on  "Law  Enforcemair  have  been  endorsed  by  the  following  organizations: 

American  Association  of  People  with  Disabilities 
Association  of  Women's  Health,  Obstetric  and  Neonatal  Nurses 
BazeloQ  Cento-  for  Mental  Health  Law 
Committee  for  Children 

Consortium  for  CitizCTS  with  Disabilities  Privacy  Working  Group 
Families  USA 

Federation  of  Families  for  Children's  Mental  Healtii 

Human  Rights  Campaign 

Justice  for  All 

Legal  Action  Center 

Myositis  Association  of  America 

National  Association  of  People  With  AIDS 

National  Organization  for  Rare  Disorders 

National  Partnership  for  Women  and  Families 

Privacy  Rights  Qearinghousc 

Women's  Law  Project 

GOVERNMENTAL  HEALTH  DATA  SYSTEMS 

Scctioa  164J10(£)    Dbdosares  and  uses  for  govemmeataJ  healtb  daU  systems. 

SUMMARY 

We  understand  the  need  of  legitimate  governmental  health  data  systems  for  patient  inforaiatioa. 
We  are  concerned,  however,  tiiat  the  current  language  of  the  regulations  would  permit  disclosure 
of  protected  health  information  for  purposes  wholly  unrelated  to  healdi  care.  We  are  also 
concerned  that,  due  to  the  limits  of  HIPAA,  governmental  health  data  systems  are  not  subject  to 
the  oirrcnt  privacy  regulations.  We  urge  Congress  to  take  action  to  a  close  this  gap  in  the 
protection  afforded  to  identifiable  health  infomiation. 

1.  THE  SCOPE  OF  PERMISSIBLE  PURPOSES 
Recommendatioo : 

Section  164.5 10(g)  should  be  amoided  to  peraait  disclosures  only  to  governmental  health  data 
systems  that  collect  health  data  for  health  care  related  purposes. 

RatioBale: 

In  the  preamble,  the  Secretary  e3q)lains  that  she  proposes  to  permit  covered  entities  to  disclose 
protected  health  infomiation  for  inclusion  in  State  or  other  governmental  health  data  systems 
when  such  disclosure  is  authorized  by  law  for  analysis  in  support  of  policy,  planning,  regulatory 
and  aianagement  functions.  64  Fed.  Reg.  59964.  The  Secretary  then  explains  that  she  "believefs] 
that  Congress  intended  to  permit  States  ...  To  operate  health  data  collection  systems  for 
analyzing  and  improving  the  health  care  system.'"  Id.  (Emphasis  added)  We  believe  that 
allowing  disclosures  for  these  limited  purposes  is  the  correct  approach.  The  draft  regulations, 
however,  do  not  carry  out  the  Secretary's  apparait  intent  to  limit  disclosures  to  government 
health  data  systems  who  will  use  the  data  for  health  care  (or  health  care  system)  purposes. 

Section  164.510(g)  allows  a  covered  entity  to  "disclose  protected  health  infomiation  to  a 
government  agency,  or  a  private  entity  acting  on  behalf  of  a  government  agency,  for  inclusion  in 
a  governmental  health  data  system  that  collects  health  data  for  analysis  in  support  of  policy, 
planning,  regulatory,  or  management  functions.'"  (Emphasis  added)  The  type  of  policy, 
planning,  regulatory  or  management  function  is  not  at  all  qualified  or  limited  by  the  regulation. 
The  unqualified  language  of  the  proposed  regulation  is  so  broad  as  to  allow  disclosure  to 
countless  federal  and  state  agencies  with  no  direct  health  responsibilities.  For  example,  the  police 
could  qualify  to  obtain  all  identifiable  patient  data  for  a  database  designed  to  help  the  police 
make  decision  about  management  of  the  use  of  police  resources  near  a  health  care  facility.  This 
regulatory  provision,  which  grants  free  access  to  protected  health  information,  should  not  create 
a  mechanism  whereby  government  agencies  can  effectively  circumvent  the  standards  that  they 
would  otherwise  have  to  meet  to  obtain  this  protected  information. 
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To  alleviate  this  potential  problem,  section  164.510(g)  should  amended  as  follows: 

(g)  Disclosures  and  uses  for  governmental  health  data  systems  - 

(1)  A  covered  entity  may  disclose  protected  health  information  to  a  government  agency, 
or  private  entity  acting  on  behalf  of  a  government  agency,  for  inclusion  in  a 
governmental  health  data  system  that  collects  health  data  for  analysis  in  support  of  health 
care  related  poUcy,  planning,  regulatory,  or  management  functions  authorized  by  law. 

(2)  Permitted  uses.  Where  a  covered  entity  is  itself  a  government  agency  that  collects 
health  data  for  analysis  in  support  of  health  care  related  policy,  planning,  regulatory,  or 
management  functions ... 


2.  SCOPE  OF  THE  REGULATIONS 
Recommendation : 

Congress  should  enact  comprehensive  health  privacy  legislation  applying  to  all  entities  that 
generate,  receive  or  transfer  protected  health  information. 

Rationale: 

Under  the  terms  of  HIPAA,  these  privacy  regulations  may  only  ^ply  to  health  plans,  certain 
health  providers,  and  health  care  clearinghouses.  Governmental  health  data  systems  do  not  fall  in 
any  of  these  categories  and  therefore  are  not  subject  to  the  restrictions  contained  in  the  proposed 
regulations.  These  systems  collect  a  wealth  of  protected  health  information  and  should  be  subject 
to  federal  protections.  We  recognize  that  the  Secretary  can  not  currently  act  in  this  area  and  we 
urge  Congress  to  pass  legislation  closing  this  gap  in  coverage. 


These  comments  on  "Governmental  Health  Data  Systems"  have  been  endorsed  by  the  following 
organizations: 

American  Association  of  People  with  Disabilities 
Association  of  Women's  Health,  Obstetric  and  Neonatal  Nurses 
Bazelon  Center  for  Mental  Health  Law 
Committee  for  Children 

Consortium  for  Citizens  with  Disabilities  Privacy  Working  Group 
Families  USA 

Federation  of  Families  for  Children's  Mental  Health 
Human  Rights  Campaign 
Justice  for  All 

Myositis  Association  of  America 
National  Association  of  People  With  AIDS 
National  Organization  for  Rare  Disorders 
National  Partnership  for  Women  and  Famihes 
Privacy  Rights  Clearinghouse 
Women's  Law  Project 

DIRECTORY  INFORMATION 

Section  164310(h)    Disclosures  of  directory  information. 

SUMMARY 

We  support  the  general  rule  that  health  care  providers  may  disclose  protected  health  information 
for  directory  purposes  only  where  the  individual  has  agreed  to  such  disclosure.  We  encourage  the 
Secretary  to  change  the  language  of  the  preamble  to  clarify  the  that  minors  who  lawfully  obtain 
health  care  services  without  parental  involvement  havs  the  right  to  decide  whether  their 
information  may  be  released  for  directory  information  purposes. 
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RecoBmoidatioBs: 

1 .  Delete  from  the  preamble  discussion  of  the  next-of-kin  section  (page  59973)  the 
following  statement:  "The  proposed  definition  of  'individual'  addresses  related 
disclosures  regarding  minors  and  incapacitated  individuals." 

2.  Add  to  the  preamble  at  page  59935  the  following  explanation: 

c.  Disclosures  pertaining  to  minors.  In  general,  because  the  definition  of 
individual  would  include  parents,  a  parent,  guardian,  or  person  acting  in  loco 
parentis  could  exercise  the  rights  established  under  this  regulation  on  behalf  of 
their  minor  (as  established  by  applicable  law)  children.  However,  in  cases  where 
a  minor  lawftilly  obtains  a  health  care  service  without  the  consent  of  or 
notification  to  a  parent,  the  minor  would  be  treated  as  the  individual  for  purposes 
of  exercising  any  rights  established  under  this  regulation  with  respect  to  protected 
health  information  relating  to  such  health  services.  For  example,  a  minor  who 
lawfully  obtains  a  health  care  service  without  parental  involvement  would  have 
the  riehts  of  the  "individual."  guaranteed  under  sections  164.51001)  and 
164.510(1).  to  agree  or  object  to  the  release  of  directory  information  or  disclosures 
to  next-of-kin  pertaining  to  care  received  without  parental  involvement. . . . 

RatioBale: 

It  is  our  understanding  that  the  definition  of  "individual,"  including  its  treatment  of  minors, 
applies  throughout  the  rule  wherever  the  term  "individual"  is  used.  We  are  concerned,  however, 
that  one  isolated  reference  in  the  preamble  (page  59973)  to  the  j^licability  of  the  definition  of 
"individual"  in  one  specific  context  may  raise  the  inference  that  this  definition  may  not  apply  in 
other  contexts.  As  a  result,  we  recommend  that  diis  one  statement  in  the  preamble  be  deleted 
and  that  the  preamble  include  the  explanatory  language  above. 

These  comments  on  "Directory  Information  "  have  been  endorsed  by  the  following 
organizations: 

American  Association  of  People  with  Disabilities 
Association  of  Women's  Health,  Obstetric  and  Neonatal  Nurses 
Bazelon  Center  for  Mental  Health  Law 
Committee  for  Children 

Consortium  for  Citizens  with  Disabilities  Privacy  Working  Groi^ 
Families  USA 

Federation  of  Families  for  Children's  Mental  Health 
Human  Rights  Campaign 
Justice  for  All 

Myositis  Association  of  America 
National  Association  of  People  With  AIDS 
National  Organization  for  Rare  Disorders 
National  Partnership  for  Women  and  Families 
Privacy  Rights  Qearinghouse 
Women's  Law  Project 
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BANKING  AND  PAYMENT  PROCESSES 

Section  164310(j)     Disclosures  for  banking  and  payment  processes. 

The  draft  regulations  provide  that  only  the  minimum  amount  of  protected  health  infonnation 
necessary  be  used  or  disclosed  to  complete  a  banking  or  payment  activity.  We  believe  that  this  is 
the  correct  approach.  Additional  information  is  not  needed  for  these  purposes.  Howcvct,  since 
banks  and  financial  institutions  fall  outside  the  scope  of  these  regulations,  we  urge  Congress  to 
pass  comprehensive  health  privacy  legislation  that  limits  the  uses  and  further  disclosures  of  even 
this  minimal  amount  of  protected  health  information  by  financial  institutions. 

With  the  growing  ability  to  manipulate  data  through  computerization,  we  are  concerned  that 
financial  institutions  may  use  even  this  minimal  protected  health  information  for  making 
financial  decisions.  For  instance,  a  financial  instimtion  may  be  able  to  identify  an  individual  who 
has  paid  for  treatment  by  an  oncologist  and  deny  the  individual  a  mortgage  based  on  that 
infonnation.  We  realize  that  financial  institutions  are  beyond  the  scope  of  the  Secretary's 
authority,  and  that  only  Congress  can  impose  restrictions  on  the  uses  that  a  financial  institution 
can  make  of  protected  health  information  obtained  through  tfie  payment  process. 


These  conunents  on  "Banking  and  Payment  Processes"  have  been  endorsed  by  the  following 
organizations: 

American  Association  of  People  with  DisabiUties 
Association  of  Women's  Health,  Obstetric  and  Neonatal  Nurses 
Bazelon  Center  for  Mental  Health  Law 
Committee  for  Children 

Consortiimi  for  Citizens  with  Disabilities  Privacy  Working  Group 
Families  USA 

Federation  of  Families  for  Children's  Mental  Health 
Human  Rights  Campaign 
Justice  for  All 

Myositis  Association  of  America 
National  Association  of  People  With  AIDS 
National  Organization  for  Rare  Disorders 
National  Partnership  for  Women  and  Famihes 
Privacy  Rights  Clearinghouse 
Women's  Law  Project 

RESEARCH 

Section  164.5100)     Uses  and  disclosures  for  research  purposes. 
SUMMARY 

Generally,  we  support  the  intention  with  regard  to  research  in  the  draft  regulation.  We  are 
pleased  that  the  regulation  aims  to  establish  uniform  rules  for  researchers  regardless  of  the  source 
of  funding. 

Today,  federal  regulations  —  known  as  the  "Common  Rule"  —  only  cover  federally-funded 
research,  or  research  conducted  in  anticipation  of  FDA  approval.  This  has  'efl  a  large  —  and 
growing  —  body  of  research  outside  the  scope  of  federal  regulations,  and  without  any  oversight 
or  accountability.  As  the  Chair  of  the  Dartmouth  IRE  commented,  *Today,  if  I  want  to  study  the 
medical  history  of  congressional  representatives,  and  I  don't  use  federal  funds,  I  may  be  able  to 
get  access  to  your  medical  records  without  going  through  any  meaningful  review  process." 
(Robert  Amdur,  House  Commerce  Hearing,  May  27,  1999)  This  proposed  regulation  represents 
a  significant  step  forward  in  that  it  would  help  to  close  that  gap. 
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Overall,  we  believe  the  proposed  regulation  attempts  to  subject  all  research  to  an  objective  and 
balanced  review  process.  We  support  the  additional  privacy-specific  review  criteria,  and  support 
the  requirement  that  the  privacy  board  include  one  member  who  is  not  affiliated  with  the 
institution. 

In  our  comments,  however,  we  argue  that  all  research  should  be  subject  to  IRB  approval. 
We  believe  that  IRB  approval  is  the  most  effective  mechanism  to  establish  uniform  and  equitable 
roles  for  research,  reganiless  of  the  source  of  fimding.  We  recognize  that  the  Common  Rule 
addresses  many  more  issues  than  confidentiality,  and  that  for  this  reason,  there  may  be  resistance 
to  Imnging  all  research  under  its  scope.  The  creation  of  new  "privacy  boards"  is  therefore  an 
attempt  to  isolate  and  address  only  the  confidentiality  concerns  of  a  research  project  If  the 
regulation  does  not  bring  all  research  under  die  Conmion  Rule,  the  proposed  regulation  should 
be  revised  to  ensure  diat  there  are  similar  standards  and  equal  oversight  and  accountability  for 
both  IRBs  and  privacy  boards. 

If  the  final  regulation  continues  to  allow  for  the  use  of  newty-formed  "privacy  boards"  then  we 
strongly  believe  that  the  final  regulation  include  a  series  of  revisions  to  ensure  that  there  is 
greater  equity  in  die  standards  and  procedures  used  by  both  IRBs  and  privacy  boards. 

Finally,  it  is  important  to  note  that  the  draft  regulation  only  speaks  to  the  use  and  disclosure  of 
"protected  health  information'*  by  covered  entities  —  healdi  care  providers,  health  plans  and 
clearinghouses.  Researchers  who  generate  their  own  health  information  fail  outside  the  scope  of 
the  regulations  if  they  are  not  based  within  a  covered  entity,  and  do  not  provide  healdi  care.  We 
understand  that  this  reflects  the  legal  constraint  inq>osed  on  HHS  by  the  HIPAA.  Since  a  great 
deal  of  research  will  continue  to  fall  outside  the  scope  of  federal  regulation,  we  believe  that  ther? 
is  still  an  important  role  to  be  played  by  Congress  to  fill  diis  gap. 

1.  INSTITUTIONAL  REVIEW  BOARDS 


The  draft  regulation  should  be  revised  in  order  to  ensure  that  there  is  uniformity  and  equity 
between  federally  funded  and  privately  fimded  research.  In  particular,  the  draft  regulation 
should  be  revised  to  prohibit  a  covered  entity  from  disclosing  protected  health  information  to  any 
researcher  unless  the  research  has  been  approved  by  an  Institutional  Review  Board.  The 
Secretary  should  eliminate  the  option  of  using  a  privacy  board. 

RatMHule: 

The  proposed  regulation  seeks  to  establish  uniform  and  consistent  rules  for  research,  regardless 
of  the  source  of  funding.  We  beheve  that  the  most  effective  and  equitable  way  to  reach  this  goal 
is  to  require  that  all  disclosures  for  research  be  conditioned  on  the  approval  of  an  Institutional 
Review  Board. 

This  is  not  a  new  approach.  Hawaii  and  Washington  State  both  require  approval  by  an 
institutional  review  board  prior  to  disclosure  for  research  purposes.  Hw.  Rev.  Stat  sec.  232c-37 
and  Wash.  Rev.  Code  Ann  sec.  70.02.050(1).  Maine  requires  approval  by  an  institutional  review 
board  or  by  '^e  board  of  a  nonprofit  health  research  organization"  prior  to  disclosure  for 
research  purposes.  Me.  Rev.  StaL  Ann  tit  22,  sec.  1 71 1  -G. 

Over  the  years,  many  comprehensive  health  privacy  bills  have  extended  the  Common  Rule  to 
cover  privately-funded  research.  Researchers  who  have  testified  before  Congress  have  also 
taken  this  position.  Finally,  research  organizations  have  also  defended  the  IRB  system  as  an 
appropriate  mechanism  for  the  review  of  research.  The  International  Society  for 
Pharmacoepidemiology,  for  example,  has  taken  the  position  that: 

All  pharmacoepidemiological  studies  that  use  personally  identifiable  data  should 
be  subject  to  ethics  review  board  approval  before  study  commences.  The  IRB 
mechanism  has  been  and  should  continue  to  be  the  keystone  for  protecting  patient 
confidentiality  by  evaluating  the  use  of  potentially  identifiable  data  and 
considering  such  use  in  the  light  of  privacy  and  confidentiality  concerns.  ISPE 
also  recommends  that  the  same  IRB  mechanisms  for  protecting  data 
confidentiality  be  available  to  both  the  public  and  private  sector.  ISPE 
recognizes  the  need  for  active,  competent,  and  objective  IRBs  in  this  field.  "Data 
Privacy,  Medical  Record  Confidentiality,  and  Research  in  the  Interest  of  Public 
Health,"  September  1997. 


64-101  2000  -6 


158 


We  believe  that  the  regulation  —  in  so  far  as  it  creates  new  "privacy  boards"  that  can  take  the 
place  of  IRBs  —  ultimately  perpetuates  the  bifurcation  between  privately  and  publicly  ftmded 
research.  In  the  final  analysis,  under  the  proposed  rule,  privately  funded  research  will  continue 
to  be  less  accountable  than  if  it  were  subject  to  the  Common  Rule. 

While  we  appreciate  the  effort  to  create  similar  systems  of  review  between  IRBs  and  privacy 
boards,  we  do  not  believe  that  it  is  possible  to  match  the  standards  in  the  Conunon  Rule.  The 
benefits  to  an  IRB  system  that  are  not  reflected  in  the  privacy  boards  include: 

♦  Review:  In  the  current  proposal,  privacy  boards  exist  only  to  grant  a  waiver  for 
patient  authorization.  In  contrast,  IRBs  are  integrally  involved  in  every  step  of 
the  research  project  including:  reviewing  methods  to  select  research  subjects, 
determining  whether  informed  consent  is  necessary,  and  deciding  what 

^  information  should  be  given  to  subjects  of  research  and  when. 

♦  Guidance:  Standards  for  research  are  not  simply  expressed  in  the  Rule  itself,  but 
in  the  guidance  and  opinions  put  out  by  HHS  to  IRBs.  Use  of  records,  and 
consent  requirements  will  vary  widely  depending  on  the  kind  of  research  being 
undertaken  and  the  populations  being  studied.  The  IRB  guidebook,  for  example, 
includes  detailed  guidance  for  different  kinds  of  research  such  as  genetic  research, 
records-based  research,  epidemiological  research,  research  on  minors,  research  on 
mentally  disabled,  research  on  a  stigmatized  condition,  research  whose  findings 
may  impact  a  social,  ethnic  or  racial  group,  and  research  on  disadvantaged 
populations. 

♦  Accountability:  IRBs  have  established  oversight  mechanisms  and  avenues  of 
redress  for  research  subjects. 

The  use  of  a  privacy  board  —  whose  only  role  is  to  review  eight  criteria  to  grant  a  waiver  of 
authorization  —  is  a  rather  blunt  tool  to  replace  a  system  of  patient  protections  established  over 
many  years. 

It  is  true  that  the  IRB  system  is  in  need  of  improvement,  and  we  are  aware  that  a  number  of 
reviews  of  the  existing  IRB  system  are  ongoing,  including  by  the  National  Bioethics  Advisory 
Commission  (NBAC),  and  the  Institute  of  Medicine.  We  agree  that  the  system  should  be  studied 
and  improved  as  needed.  Continuing  to  exempt  privately-funded  research  fi-om  IRB  review, 
however,  leaves  patients  vulnerable  to  a  research  system  with  few  controls  and  little 
accountability. 


2.       AUTHORIZATION  REQUIREMENTS 
Recommendation: 

If  the  regulation  continues  to  allow  for  privacy  board  review,  these  bodies  should  use  the  same 
standards  as  IRBs.  In  particular,  the  drafl  regulation  should  be  revised  to  prohibit  a  covered 
entity  bom  disclosing  protected  health  information  solely  based  on  an  authorization  in  section 
64.508.  We  believe  that  in  addition  to  overseeing  the  authorization  process,  IRBs  must  assess 
other  risks  and  benefits  to  individuals.  In  other  words,  it  is  not  enough  to  just  get  consent 
Rather  than  allowing  researchers  to  rely  just  on  the  authorization  outlined  in  section  164.508,  the 
regulation  should  mirror  the  standards  currently  adhered  to  by  federally-funded  research,  which 
are  as  follows: 

♦  The  research  is  exempt  from  IRB  review  because  it  meets  the  criteria  outlined  in 
the  Common  Rule,  or 

♦  The  research  is  approved  by  an  IRB  which  may  a)  waive  the  informed  consent 
requirement,  or  b)  approve  the  necessary  components  of  the  informed  consent 
requirement. 

Rationale: 

Currently,  research  that  is  subject  to  the  Common  Rule  must  be  reviewed  by  an  IRB,  unless  it 
meets  one  of  the  itemized  exceptions.  The  IRB  may  waive  the  informed  consent  requirement  if 
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project  meets  certain  criteria.  If  tfie  IRB  determines  that  informed  consent  is  appropriate,  it 
also  reviews  the  consent  form  to  be  used  in  the  research  project 

In  contrast,  the  draft  regulation  allows  covered  entities  to  disclose  protected  health  information  to 
researchers  in  two  situations: 

1 )  The  researcher  has  obtained  an  authorization  fix)m  the  patient  pursuant  to  section 
164.508 

2)  The  researcher  has  obtained  a  waiver  of  the  informed  consent  requirement  from 
an  IRB  or  Privacy  Board,  after  meeting  certain  requirements. 

By  indtiding  the  first  option,  the  current  regulation  would  allow  privately-funded  researchers  to 
by-pass  any  form  of  review  and  oversight  if  they  receive  patient  authorization.  This  option  is  not 
available  to  federally-funded  research.  What's  more,  the  proposed  authorization  for  research 
inchides  fewer  elements  than  an  authorization  currently  required  by  the  Common  Rule. 

One  of  the  major  responsibilities  of  an  IRB  is  to  assess  the  risks  and  benefits  of  proposed 
research.  In  turn,  those  findings  should  be  reflected  in  the  authorization  form  so  that  an 
individual  can  make  an  informed  choice  about  whether  to  participate  in  the  research  process. 
The  IRB  Guidd}ook  clarifi^  that: 

One  of  the  IRB's  most  important  activities  is  evaluating  the  information  to  be 
provided  to  potential  subjects  in  light  of  the  risks  and  benefits  of  the  proposed 
research  procedures...  In  making  a  judgement  concerning  what  information  should 
be  disclosed  in  the  informed  consent  process,  the  IRB  shoidd  attempt  to  view  the 
matter  from  the  subject's  perspective  by  asking  what  £acts  the  subjects  might  want 
to  know  before  deciding  whethCT  or  not  to  participate  in  the  research.  IRB 
Guidebook, 

If  the  intent  of  the  proposed  federal  regulation  is  to  create  uniform  rules  for  research,  then  no 
research  should  be  permissible  absent  the  approval  of  an  IRB  or  privacy  board.  A  researcher 
should  not  be  able  to  access  protected  health  information  simply  by  relying  on  the  authorization 
as  outlined  in  section  164.508.  This  authorization  is  intended  to  be  used  for  a  wide  variety  of 
circumstances  —  such  as  maiiceting,  sale  of  health  information,  and  employment  determination 
—  and  does  not  include  criteria  specific  to  research.  Informed  consent  as  outlined  in  the 
Conunon  Rule,  for  example,  must  include: 

♦        The  risks  and  benefits  associated  with  participating  in  a  research  project,  and 

t        Information  about  if  and  when  the  subject  of  the  health  information  can  access 
information  about  themselves  that  is  derived  fix)m  the  research. 


3.       PRIVACY  BOARDS:  RECORD  KEEPING 
RecommendatioB : 

Where  the  IRB  or  Privacy  Board  waives  the  authorization  requirement,  it  should  provide  the 
covered  entity  with  documentation  as  to  how  they  arrived  at  their  decision. 

Rationale: 

The  proposed  rule  only  requires  that  the  covered  entity  document  that  the  privacy  board  or  IRB 
beUeves  that  the  criteria  for  a  waivo-  of  authorization  was  met.  In  order  to  build  in  a  degree  of 
accountability  into  the  decision-making  process,  the  IRB  or  Privacy  Board  should  also  provide 
the  covered  entity  wiA  information  as  to  how  they  came  to  their  decision.  Under  the  Common 
Rule,  IRBs  must  adhere  to  the  following  guidelii^: 

The  institution,  or  when  appropriate  the  IRB,  must  prepare  and  maintain  adequate 

documentation  of  IRB  activities  [Federal  Policy  sec.  .  1 1 5].  In  addition  to  the 

written  IRB  procedures  and  membership  lists  required  by  the  Assurance  process 
[Federal  Policy  sec.  .103],  such  documentation  must  include  copies  of  all 
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research  proposals  reviewed,  minutes  of  TRB  meetings,  records  of  continuing 
review  activities,  copies  of  all  correspondence  between  the  IRB  and  investigators, 
and  statements  of  significant  new  findings  provided  to  subjects  (as  required  by 
Federal  Policy  sec  .116(b)(5)). 

Minutes  of  IRB  meetings  must  be  kept  in  suflBcient  detail  to  record  the  following 
information:  attendance  at  each  meeting;  actions  taken  by  the  IRB;  the  vote  on 
actions  taken  (including  the  number  of  members  voting  for,  gainst,  and 
abstaining);  the  basis  for  requiring  changes  in  or  disapproving  research;  and  a 
written  sununaiy  of  the  discussion  of  controverted  issues  and  their  resolution 
[Federal  Policy  sec.^  .  1 1 5(a)(2)]. 

IRB  records  must  be  retained  for  at  least  three  years;  records  pertaining  to 
research  that  is  conducted  must  be  retained  for  three  years  after  completion  of  the 
research.  All  records  must  be  accessible  for  inspection  and  copying  by  authorized 
representatives  of  the  department  or  agency  supporting  or  conducting  the  research 
at  reasonable  times  and  in  a  reasonable  manner  [Federal  Policy  sec.  .  1 1 5(b)]. 

In  the  future,  this  information  will  help  to  study  how  the  criteria  is  being  interpreted  and 
implemented  by  privacy  boards  and  IRBs. 

4.       PRIVACY  BOARD:  VOTING  RULES 
Recommendation: 

The  privacy  board  should  follow  the  same  voting  rules  as  required  under  the  Conmion  Rule. 
Rationale: 

The  proposed  regulation  currently  includes  no  guidance  as  to  how  the  privacy  board  should 
approve  or  deny  researcher  requests.  Under  the  Conmion  Rule,  IRBs  must: 

...  review  proposed  research  at  convened  meetings  at  which  a  majority  of  the 
members  of  the  IRB  are  present,  including  at  least  one  member  whose  primary 
concerns  are  in  nonscientific  areas.  In  order  for  the  research  to  be  proved,  it 
shall  receive  a  majority  of  those  members  present  at  the  meeting.  Section  .108 

Under  the  Common  Rule,  the  research  proposal  might  also  be  allowed  to  undergo  an  "expedited 
review"  in  which  the  Chair  of  the  IRB  can  alone  approve  the  proposal,  or  pass  it  along  for  full 
review. 

We  suggest  that  privacy  boards  be  held  to  the  same  standards  and  that  this  be  made  explicit  in 
die  regulation.  Since  only  certain  categories  of  research  are  eligible  for  expedited  review,  this 
regulation  needs  to  cross-reference  those  categories  as  amended  and  updated  by  the  Secretary  of 
Health  and  Human  Services. 


5.       PRIVACY  BOARDS:  SPONSORING  ENTITY 
Recommendation: 

The  regulation  should  require  that  privacy  boards  be  based  at  a  covered  entity,  or  covered  by  the 
contractual  requirements  of  business  partners. 

Rationale: 

The  draft  regulation  allows  privacy  boards  to  be  based  either  at  the  entity  disclosing  data,  or  the 
entity  receiving  data.  If  the  privacy  board  is  based  at  the  entity  receiving  data,  and  that  entity  is 
not  a  covered  entity,  there  will  be  little  ability  to  enforce  the  regulation,  or  study  the 
effectiveness  of  the  standards. 
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IRB  records  must  be  retained  for  at  least  three  years;  records  pertaining  to 
research  that  is  conducted  must  be  retained  for  three  years  after  completion  of  the 
research.  All  records  must  be  accessible  for  inq)ection  and  copying  by  authorized 
rqnesentatives  of  the  department  or  agency  supporting  or  conducting  the  research 
at  reasonable  times  and  in  a  reasonable  manner  [Federal  Policy  sec.  .1 15(b)]. 

In  die  future,  this  infonnation  will  help  to  study  how  the  criteria  is  being  interpreted  and 
implemented  by  privacy  boards  and  IRBs. 

4.  PRIVACY  BOARD:  VOTING  RULES 
Recommendation: 

The  privacy  board  should  follow  the  same  voting  rules  as  required  under  the  Common  Rule. 
RatioBale: 

The  proposed  regulation  ciirrently  includes  no  guidance  as  to  how  the  privacy  board  should 
approve  or  deny  researcher  requests.  Undo*  the  Common  Rule,  IRBs  must: 

...  review  proposed  research  at  convened  meetings  at  which  a  majority  of  the 
members  of  the  IRB  are  present,  including  at  least  one  member  whose  primary  ? 
concerns  are  in  nonscientific  areas.  In  order  for  the  research  to  be  approved,  it 
shall  receive  a  majority  of  those  members  present  at  the  meeting.  Section  .  108 

Under  the  Conunon  Rule,  the  research  proposal  might  also  be  allowed  to  undergo  an  "expedited 
review"  in  which  the  Chair  of  the  IRB  can  alone  2^rove  the  proposal,  or  pass  it  along  for  full 
review. 

We  suggest  that  privacy  boards  be  held  to  the  same  standards  and  that  this  be  made  explicit  in 
die  regulation.  Since  only  certain  categories  of  research  are  eligible  for  expedited  review,  this 
regulation  needs  to  cross-reference  those  categories  as  amended  and  updated  by  the  Secretary  of 
Health  and  Human  Services. 

5.  PRIVACY  BOARDS:  SPONSORING  EM  iTY  ii 
Recommendation: 

The  regulation  should  require  that  privacy  boards  be  based  at  a  covered  entity,  or  covered  by  the 
contractual  requirements  of  business  parmers. 

Rationale: 

The  draft  regulation  allows  privacy  boards  to  be  based  either  at  the  entity  disclosing  data,  or  the 
entity  receiving  data.  If  the  privacy  board  is  based  at  the  entity  receiving  data,  and  tfiat  entity  is 
not  a  covered  entity,  there  will  be  little  ability  to  enforce  the  regulation,  or  smdy  the 
effectiveness  of  the  standards. 

6.  PRIVACY  BOARDS:  MEMBERSHIP 
Recommendation: 

The  membership  requirements  of  privacy  boards  should  ensure  that  at  least  one  membo-  is  not 
afiBliated  with  the  entity  receiving  or  disclosing  protected  health  information. 

Rationale: 

The  draft  regulation  currently  requires  that  the  privacy  board  include  "at  least  one  member  who 
is  not  afiBliated  with  the  entity  conducting  the  research  or  related  to  a  person  who  is  afBliated 
with  such  entity."  Sec.  504.5 10(jXl)(ii)(B),  emphasis  added.  In  theory,  then,  a  health  plan  could 
create  a  privacy  board  comprised  entirely  of  employees  if  they  were  approving  research  projects 
that  were  to  be  conducted  by  outside  entities. 

In  contrast,  the  Common  Rule  requires  that  each  IRB  include  at  least  one  member  who  is  '^t 
affiliated  with  the  institution  and  who  is  not  part  of  die  immediate  family  of  a  person  who  is 
affiliated  with  the  institution."  Sec.  46.107(d),  emphasis  added. 
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We  believe  that  the  requirement  as  articulated  in  the  Common  Rule  is  more  sound  in  so  far  as  it 
ensures  that  at  least  one  member  is  not  affihated  with  the  entity  receiving  or  disclosing  patient 
data. 


7.        RETEl>rnON  OF  RECORDS 
Recommendation : 

The  proposed  regulation  should  be  revised  to  require  covered  entities  to  retain  documentation  of^ 
and  related  to,  waivers  of  patient  authorization  for  at  least  six  years  firom  when  the  waiver  was 
obtained. 

Rationale: 

The  proposed  regulation  does  not  include  specific  requirements  to  retain  records  related  to 
research  including  documentation  of  a  waiver  of  patient  authorization.  Under  the  proposed 
regulation,  however,  covered  entities  are  required  to  retain  a  number  of  records  for  at  least  six 
years  including  contracts,  samples  of  notices,  and  certifications.  Covered  entities  should  retain 
the  documentation  related  to  a  waiver  of  patient  authorization  for  at  least  the  same  time. 


8.       RESEARCH  INFORMATION  UNRELATED  TO  TREATMENT 
Recommendation: 

The  proposed  regulation  should  be  revised  to  ensure  that  research  information  unrelated  to 
treatment  is  afforded  higher  protection  in  all  circumstances.  Research  information  unrelated  to 
treatment  should  only  be  disclosed,  with  appropriate  safeguards,  when  needed  for  the  oversight 
of  the  specific  health  care  researcher.  In  all  other  circumstances,  there  should  be  a  prohibition 
against  disclosure,  unless  the  patient  has  given  authorization. 

Rationale: 

Under  the  proposed  regulation,  "research  information  unrelated  to  treatment"  may  not  be 
disclosed  without  specific  patient  authorization  for  treatment,  payment  and  health  care 
operations.  We  agree  that  this  is  a  critical  protection,  and  agree  with  the  justification  outlined  in 
the  proposal.  In  particular,  we  agree  that  patients  will  be  reluctant  to  participate  in  research  if 
they  fear  that  the  information  could  be  disclosed,  or  used  against  them.  Since  this  information 
does  not  have  scientific  merit  and  cannot  be  used  to  help  treat  a  patient,  it  should  not  be  available 
to  providers,  insurers,  employers  or  others. 

The  proposed  regulation  distinguishes  between  research  information  and  research  information 
that  is  not  related  to  the  treatment  of  an  individual.  They  are  defined  as  follows: 

Research  means  a  systematic  investigation,  including  research  development, 
testing  and  evaluation,  designed  to  develop  or  contribute  to  generalizable 
knowledge.  "Generalizable  knowledge"  is  knowledge  related  to  health  that  can 
be  applied  to  populations  outside  of  the  population  served  by  the  covered  entity. 
Section  164.504. 

Research  information  unrelated  to  treatment  means  health  information  that  is 
received  or  created  by  a  covered  entity  in  the  course  of  conducting  research,  for 
which  there  is  insufficient  scientific  and  medical  evidence  regarding  the  validity 
or  utility  of  the  information  such  that  it  should  not  be  used  for  the  purpose  of 
providing  health  care,  and  with  respect  to  which  the  covered  entity  h?s  not 
requested  payment  fix)m  a  third  party  payor.  Section  164.508(a)(3)(iv)(B) 

We  are  concerned  that  while  research  information  unrelated  to  treatment  is  afforded  greater 
protections  in  the  context  of  treatment,  payment,  and  health  care  operations,  it  is  vulnerable  to 
disclosiire  in  other  circumstances.  Section  164.510  of  the  proposed  regulation  identifies 
additional  circumstances  in  which  protected  health  information  (which  includes  ^'research 
information  unrelated  to  treatment")  may  be  disclosed  without  patient  authorization.  These 
circumstances  include:  to  law  enforcement  officials,  injudicial  and  administrative  proceedings, 
in  health  oversight  activities,  and  to  govenunental  healUi  data  systems. 
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Patients  will  be  unwilling  to  participate  in  research  studies  without  strong  protections  for  the 
information  obtained  and  created  in  the  course  of  daat  research.  Research  information  diat  is 
unrelated  to  treatment  should  be  afforded  particularly  strong  protections,  given  the  unknown 
vatidity  of  the  information. 

Research  information  unrelated  to  treatment  should  only  be  disclosed,  with  appropriate 
safeguards,  in  the  oversight  of  die  health  care  researcher  if  that  information  will  not  thai  be  used 
in  any  action  against  the  individual.  In  all  odier  circimistances,  there  should  be  a  prohibition 
against  disclosure,  unless  the  patient  has  givoi  authorization.  In  Hawaii,  for  example, 
researchers  are  expressly  prohibited  from  using  or  disclosing  **piotected  health  information  for 
any  purposes"  excqit  to  a  health  oversight  agency.  Hw.  Rev.  Stat  Sec.  323c-37(c). 

9.       RESEARCH  INFORMATION  UNRELATED  TO  TREATMENT:  DEFINITION 
RecoBflMadatioB: 

The  definition  of  "research  information  unrelated  to  treatment"  should  be  revised  to  ensure  diat 
once  information  is  classified  as  such,  it  can  not  be  re-classified  as  something  else  at  a  later  date. 
The  new  definition  should  read: 

Research  information  unrelated  to  treatment  means  health  information  that  is 
received  or  created  by  a  covered  entity  in  the  course  of  conducting  r^earch,  for 
which  there  is  insufBcient  scientific  and  medical  evidence  regarding  the  validity 
or  utility  of  the  information  at  the  time  of  collection  such  that  it  should  not  be 
used  for  the  purpose  of  providing  health  care,  and  witii  respect  to  which  the 
covered  entity  has  not  requested  payment  from  a  third  party  payor.  Sec. 
164.508(aX3XivXB). 

RatkMale: 

In  order  for  information  to  be  "research  information  unrelated  to  treatment"  there  must  be 
"insufScient  scientific  and  medical  evidence  regarding  the  validity  or  utility  of  the  information.*' 
Sec.  164.508(aX3Xiv)(B).  We  think  that  this  is  an  appropriate  test  We  believe,  however,  that 
without  qualifying  language,  this  information  would  be  vubierable  to  disclosure  m  the  fiiture,  if 
die  information  were  later  to  become  of  scientific  validity. 

The  regulation  should  be  clear  that  once  information  is  considered  "research  information 
unrelated  to  treatment"  it  remains  that  way.  This  is  especially  important  given  that  it  is  a£forded 
different  treatment  under  the  proposed  regulation. 

RESEARCH  INFORMATION  UNRELATED  TO  TREATMENT: 
AUTHOIUZATION  REQUIRED 

Recommendation: 

Section  164.508(aX3Xiii)  should  be  revised  in  the  following  way: 

A  covered  entity  may  not  condition  treatment,  enrollment  in  a  health  plan,  or 
payment  on  a  requirement  that  the  individual  authorize  use  or  disclosure  of 
psychotherapy  notes  or  research  informatinn  unrelated  to  treatment  relating  to  the 
individual. 

Rationale: 

The  proposed  regulation  provides  that  research  information  unrelated  to  treatment  should  not  be 
used  or  disclosed  for  treatment,  payment,  and  health  care  operations  widwut  the  specific, 
informed  consent  of  die  subject  We  agree  diat  diis  requirement  is  essential  in  order  to  protect 
subjects  of  research. 
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The  introductory  materials  to  the  regulation  indicate  that  covered  entities  should  be  prohibited 
from  conditioning  treatment  or  payment  for  health  care  on  receiving  an  authorization.  This 
provision,  however,  does  not  ^pear  in  the  language  of  the  regulation  itself.  We  believe  that  thi& 
is  a  technical  error,  and  not  a  dispute  in  policy. 


11.      PATIENT  ACCESS 
Recommendation : 

If  the  research  is  not  subject  to  IRB  or  privacy  board  review,  the  patient  should  have  the  right  to 
review  all  information  that  will  be  disclosed  prior  to  the  disclosure,  and  be  informed  of  their 
right  to  access  information  created  as  a  result  of  the  research.  B)  Where  research  information 
held  by  a  covered  entity  can  be  disclosed  to  third  parties,  patients  should  also  have  access  to  that 
information. 

Rationale: 

We  agree  that  tfiere  are  circumstances  —  such  as  clinical  trials  —  where  it  may  not  be 
appropriate  for  patients  to  have  access  to  research  information  before  the  conclusion  of  the 
research  project.  We  agree  that  an  IRB  or  privacy  boaid  is  the  appropriate  venue  to  balance  a 
patient's  need  to  know,  and  a  researcher's  need  to  keep  some  information  from  a  patient  Some 
research,  however,  would  still  fall  outside  the  scope  of  IRB  or  privacy  board  review.  In  tfiose 
circumstances,  patients  should  have  the  right  to  access  such  information. 
The  proposed  regulation  provides  patients  some  rights  to  access  research  informatioiL 
Circumstances  include: 

♦  When  research  includes  the  delivery  of  care:  Under  the  proposed  regulation, 
patients  are  given  access  to  "designated  record  sets."  Sec.  164.514.  The  record 
set  is  defined  as  "a  group  of  records...  which  is  used  by  the  covered  entity  to  make 
decisions  about  the  individual."  Sec.  164.504.  Where  research  includes  the 
delivery  of  care,  therefore,  a  patient  would  have  the  right  to  access  that 
information  related  to  their  own  care.  (The  one  relevant  excq)tion  relates  to 
clinical  trials.) 

♦  When  the  research  is  conducted  without  patient  authorization:  When  an  IRB  or 
privacy  board  reviews  a  request  for  a  waiver  of  authorization,  they  must 
**>^enever  appropriate"  provide  subjects  with  "additional  pertinent  information 
after  participation."  Sec.  164.5 10(j)(3)(iv).  Therefore,  a  patient  may  have  a  ri^t 
to  access  certam  research  information  if  the  IRB  or  privacy  board  has  waived  the 
authorization  requirement  (The  guidance  notes,  appropriately,  that  this  is  a  bit 
awkward,  but  is  ultimately  in  the  interest  of  the  patient) 

♦  When  a  patient  authorizes  the  disclosure  of  records  for  research,  unrelated  to  the 
delivery  of  care:  Under  the  proposed  regulation,  a  patient  has  the  right  to  see  the 
information  that  will  be  disclosed  to  a  researcher,  and  the  patient  must  be  notified 
of  this  right  on  the  authorization  form.  Sec.  164.508.  This  right,  however,  is 
restricted  to  information  in  the  "designated  record  set" 

We  appreciate  that  the  regulation  seeks  to  balance  a  patient's  right  to  access  their  own  health 
information  with  the  researcher's  need  to  keep  some  information  from  the  patient  As  a  general 
rale,  patients  should  have  access  to  their  health  information,  if  access  is  granted  to  third  parties. 
In  the  case  of  research  information,  the  same  rules  should  apply:  if  the  research  information  can 
be  disclosed  to  third  parties,  patients  should  also  have  access  to  that  information,  particulariy  if 
there  are  any  potential  consequences  to  the  patient  as  a  result  of  the  disclosure. 

Generally,  under  the  proposal,  patients  are  only  given  the  right  to  access  "designated  record 
sets."  Again,  the  record  set  is  defined  as  "a  group  of  records...  which  is  used  by  the  covered 
entity  to  make  decisions  about  the  individual."  Sec.  164.504.  Under  this  definition,  a  patient 
would  not  have  a  right  to  access  research  information  unrelated  to  treatment  even  though  this 
same  information  could  be  shared  with  other  third  parties.  The  resuh  is  that  in  some  situations,  a 
patient  may  authorize  the  release  of  information  that  she  or  he  is  not  allowed  to  access. 
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12.      RESEARCH  ON  DECEASED  SUBJECTS 
Reco  mmen  dation : 

The  proposed  regulation  should  be  revised  to  extend  privacy  protections  to  research  on  deceased 
subjects,  and  should  be  consistent  with  the  regulations  rules  with  respect  to  the  privacy  of 
deceased  persons  generally.  (See  our  comments  on  "Deceased  Persons"). 

Rationale: 

We  recognize  that  the  current  system  of  federal  protections  ^plies  only  to  living  research 
subjects.  We  believe,  however,  that  since  the  proposed  regulation  creates  new  rights  for  people 
vis  a  vis  their  health  information,  it  is  appropriate  to  extend  such  rights  for  an  indefinite  period  of 
time  after  death.  This  protection  is  especially  important  where  the  research  has  imphcations  for 
living  relatives. 


13.  RELATIONSHIP  BETWEEN  HEALTH  CARE  OPERATIONS  AND  RESEARCH 

In  the  proposed  regulation,  health  care  operations  is  defined  broadly.  In  practice,  it  will  not 
always  be  clear  as  to  what  activities  should  be  considered  "research"  or  "health  care  operations." 
In  particular,  we  have  concerns  that  since  there  is  no  authorization  requirement,  or  meaningful 
review  of  health  care  operations,  there  are  incentives  for  covered  entities  to  identify  activities  as 
health  care  operations,  rather  than  research. 

We  have  submitted  sqjarate  comments  to  address  this  issue  under  'Treatment,  Payment  and 
Health  Care  Operations." 

14.  DEFINITION:  HEALTH  INFORMATION 
RccoDuncBdatioo: 

The  definition  of  health  information  should  be  revised  to  include  information  created  or  received 
by  a  researcher. 

Rationale: 

The  proposed  regulation  defines  health  information  to  include  information  that  is  "created  or 
received  by  a  health  care  provider,  health  plan,  pubUc  health  authority,  employer,  life  insurer, 
school  or  university,  or  health  care  clearinghouse."  The  definition  notably  does  not  include  a 
researcher. 

The  definition  of  health  information  is  particulariy  critical  because  the  definitions  of 
"individually  identifiable  healA  information"  and  "protected  health  information"  build  on  this 
definition.  In  so  far  as  this  definition  is  used  to  establish  continuity  between,  or  a  model  for, 
comprehensive  federal  legislation,  it  is  important  to  ensure  that  researchers  using  health 
information  are  subject  to  federal  privacy  standards. 

15.  DEFINITION:  INDIVIDUALLY  IDENTIFIABLE  HEALTH  INFORMATION 
Recommendation : 

The  definition  of  individually  identifiable  health  information  should  be  revised  to  include 
information  created  or  received  by  a  researcher. 

Rationale: 

The  proposed  regulation  defines  individually  identifiable  health  information  to  include 
information  that  is  "created  by  or  received  from  a  health  care  provider,  health  plan,  employer,  or 
health  care  clearinghouse."  The  definition  notably  does  not  include  information  received  by  or 
from  a  researcher. 

The  definition  of  individually  identifiable  health  information  is  critical  because  the  definition  of 
"protected  health  information"  builds  on  this  definition.  Under  the  definition  in  the  proposed 
regulation,  information  received  by  a  covered  entity  torn  a  researcher  would  not  be  subject  to 
the  regulations. 
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Further,  in  so  far  as  this  definidon  is  used  to  establish  continuity  between,  or  a  model  for, 
comprehensive  federal  legislation,  it  is  important  to  ensure  tiiat  researchers  using  personally 
identifiable  health  information  are  subject  to  federal  privacy  standards. 

16.  CONTRACT  BETWEEN  DISCLOSING  ENTITY  AND  RESEARCHER 
Recommendation: 

We  strongly  recommend  that  the  final  regulations  include  a  provision  prohibiting  disclosure  of 
protected  health  information  for  research  unless  covered  entities  enter  into  contracts,  enforceable 
under  law,  which  would  require  the  researcher  to  meet  the  review  criteria.  The  contracts  should 
be  in  addition  to  and  not  instead  of  IRB  or  privacy  board  review  of  research  protocols.  The 
contract  should  include  a  prohibition  on  secondary  disclosures. 

Rationale: 

The  proposed  regulation  already  requires  covered  entity  to  enter  into  contractual  relationships  for 
a  number  of  disclosures.  This  requirement  should  be  extended  to  disclosures  for  research.  The 
contract  provides  an  important  incentive  for  covered  entities  and  researchers  to  comply  with  the 
regulation. 

The  contract  should  be  the  same  as,  or  modeled  on  the  requirements  for  business  partners,  as 
outlined  in  the  proposed  regulation.  At  a  minimum,  the  contract  should  include  a  prohibition  on 
secondary  disclosures. 

17.  CRITERIA:  SENSITIVE  INFORMATION 
Recommendation: 

In  determining  whether  to  grant  a  waiver,  on  whole  or  in  part,  of  the  authorization  requirements, 
the  IRB  or  privacy  board  should  consider  the  type  of  protected  health  information,  and  the 
sensitivity  of  the  information  to  be  disclosed. 

Rationale: 

The  proposed  regulation  includes  eight  criteria  to  be  considered  before  a  privacy  board  or  IRB 
may  grant  a  waiver  of  authorization.  Section  165.510(j)(lK")(3).  We  believe  that  these  criteria 
are  sound  and  appropriate.  We  suggest,  however,  that  in  addition  to  the  eight  criteria  outlined, 
that  the  regulation  specifically  instruct  the  IRB  or  privacy  board  to  take  into  consideration  the 
type  and  sensitivity  of  the  protected  health  information  to  be  disclosed. 

As  with  other  uses  and  disclosures,  many  individuals  consider  certain  information  more  sensitive 
—  information  about  mental  health,  HTV/AIDS,  genetic  information,  or  information  about  abuse 
and  neglect.  Were  this  information  to  be  used  or  disclosed  improperly,  the  negative  impact  on 
the  individual  is  likely  to  be  greater  than  with  other  information. 

We  believe  that  it  is  iqjpropriate  for  IRB's  and  privacy  boards  to  consider  the  sensitivity  of  the 
information  to  be  disclosed  for  research  purposes,  especially  where  the  disclosure  will  be  made 
without  patient  authorization. 

These  comments  on  "Research"  have  been  endorsed  by  the  following  organizations: 

American  Association  of  People  with  Disabilities 
Association  of  Women's  Health,  Obstetric  and  Neonatal  Nurses 
Bazelon  Center  for  Mental  Health  Law 
Committee  for  Children 

Consortium  for  Citizens  with  Disabihties  Privacy  Working  Group 
Families  USA 

Federation  of  Families  for  Children's  Mental  Healtii 
Human  Rights  Campaign 
Justice  for  All 

Myositis  Association  of  America 
National  Association  of  People  With  AIDS 
National  Organization  for  Rare  Disorders 
National  Partnership  for  Women  and  Families 
Privacy  Rights  Gearin^ouse 
Women's  Law  Project 
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ADDITIONAL  USES  AND  DISCLOSURES  REQUIRED  BY 
OTHER  LAW 

Section  164^10(n).   Uses  and  disclosures  for  which  individual  authorization  is  not 
required.  Uses  and  disclosures  otherwise  required  by  law. 

Recommendation : 

Section  I64.510(n)  should  either  be  deleted  or  substantially  revised  so  that  the  provision  does  not 
undermine  the  general  statutory  intent  that  less  protective  state  laws  are  preempted  by  the  federal 
regulations. 

Rationale: 

Section  164.5 10(n)  allows  a  covered  entity  to  use  or  disclose  protected  health  information 
without  individual  authorization  'Vhere  such  use  or  disclosure  is  required  by  law  and  the  use  or 
disclosure  meets  all  relevant  requirements  of  such  law."  This  section  is  broadly  written  and 
could  apply  to  a  variety  of  state  laws  that  are  contrary  to  the  proposed  mle  and  less  protective  of 
privacy.  (Indeed,  a  law  requirine  disclosure  is  the  least  protective  of  privacy  since  it  allows  for 
no  discretion.)  The  breadth  of  this  provision  greatly  exceeds  the  exceptions  to  preemption  . 
contained  in  HIPAA. 

Section  1178(aXl)  of  HIPAA  generally  provides  that  the  administrative  simplification 
requirements  (including  privacy  standards)  si4>ersede  contrary  provisions  of  state  law. 
Subsection  (2)  of  this  provision  then  lists  specific  exceptions  to  this  general  mle  of  preemption, 
including  laws  requiring  mandatory  reporting  of  certain  health  conditions  and  disclosures  for 
licensure,  certification  and  similar  purposes.  Thus,  Congress  specifically  listed  the  types  of  state 
law  that  it  intended  to  preserve.  Section  164.510  incorporates  these  exceptions.  However,  by 
permitting  disclosures  pursuant  to  any  state  law  that  requires  reporting,  section  164.510(n) 
allows  an  exception  for  preemption  that  goes  well  beyond  those  listed  in  the  statute.  Interpreted 
in  a  broad  fashion,  section  164.5 10(n)  would  allow  states  to  subvert  federal  preemption  by 
making  disclosive  of  protected  health  information  a  requirement  for  any  purpose.  This  clearly  is 
not  what  Congress  intended. 

While  we  recognize  the  Secretary  is  probably  attempting  to  anticipate  unforeseen  consequences, 
there  is  the  very  real  possibility  that  this  provision  can  be  used  as  a  catchall  that  overrides  section 
160.203,  which  follows  HIPAA  and  provides  that  contrary  state  laws  (with  a  few  stated 
exceptions)  are  preempted.  To  the  extent  that  section  164.510(n)  could  be  interpreted  to  apply 
only  to  state  laws  that  are  not  contrary  to  the  proposed  mle,  it  is  not  necessary  since  nothing  in 
the  proposed  rule  would  preempt  state  laws  that  are  not  contrary  to  the  proposed  rule.  Any 
concerns  the  Department  may  have  about  the  breadth  of  state  law  preemption  (see  preamble  at 
page  59973)  can  and  should  be  addressed  through  the  waiver  process  outlined  in  section 
160.204(a),  not  through  wholesale  evisceration  of  HIPAA's  clear  language. 

NOTICE  OF  INFORMATION  PRACTICES 

Scctioa  164^12       Notice  to  individnals  of  information  practices. 
Section  164.520       Documentation  of  policies  and  procedures. 

SUMMARY 

We  agree  with  the  proposed  regulation  giving  individuals  the  right  to  adequate  notice  of  die 
information  practices  of  covered  plans  and  providers.  This  requirement  conforms  to  the  best 
principles  of  health  privacy  developed  by  the  Health  Privacy  Working  Group,  which  concluded 
that  individuals  should  be  given  easy-to-understand  written  notice  of  how  their  health 
information  will  be  used  and  by  whom.  Only  with  such  notice  can  people  make  informed, 
meaningful  choices  about  uses  and  disclosures  of  their  health  information.  Adequate  notice  can 
also  help  to  build  trust  between  patients  and  health  care  providers  organizations  in  so  far  as  it 
removes  any  element  of  surprise  about  the  use  and  disclosure  of  health  information. 

Moreover,  this  type  of  notice  requirement  is  already  an  established  element  of  many  privacy 
laws  including  the  Privacy  Act,  die  Uniform  Insurance  biformation  and  Patient  Protection  Act, 
and  in  various  state  health  privacy  laws.  See  e.g..  N.C.  Gen  Stat.  Sec.  58-39-25  (adopting  the 
Uniform  Insurance  Information  Act's  requirement  that  insurers  provide  all  applicants  and 
poUcyholders  written  notice  of  their  information  practices,  including  the  types  of  disclosures  that 
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may  be  made  without  prior  authorization  of  the  individual);  Haw.  Rev.  Stat.  Sees.  323C-13  and 
323C-22  (requiring  health  care  providers,  health  care  data  organizations,  health  plans,  employers 
and  others  to  provide  current  notice  of  confidentiaiity  practices). 

We  are  pleased  that  the  regulation  requires  the  notice  to  address  the  entities  existing  information 
practices,  rather  than  possible  information  practices.  This  component  of  the  regulation  should  be 
preserved. 

We  believe  that  the  notice  provisions  can  be  enhanced  in  a  number  of  ways. 


1.       REQUIRING  SIGNED  ACKNOWLEDGMENTS 
Recommendation: 

We  encourage  the  Secretary  to  require  a  covered  entity  to  make  a  reasonable  effort  to  obtain  a 
signed  acknowledgment  that  the  individual  has  received  and  read  the  notice  of  information 
practices.     .  ^  . . .        .  - -i. 

Rationale: 

It  is  important  that  individuals  be  informed  of  how  their  health  infomiation  is  going  to  be  used 
and  to  whom  it  is  going  to  be  disclosed.  One  method  of  accomplishing  this  is  by  requiring 
individuals  to  sign  an  initial  authorization,  at  which  point  in  time  the  individual  would  receive 
such  information,  and  authorize  such  uses.  See  our  comments  submitted  in  'Treatment,  Payment 
and  Health  Care  Operations."  However,  in  the  regulatory  scheme  proposed  by  the  Secretary, 
covered  entities  would  be  prohibited  from  using  authorization  forms  for  such  a  purpose. 
The  signing  of  an  acknowledgment  of  the  receipt  of  the  notice  of  inforaiation  practices  could 
effectively  perfonn  some  of  the  functions  of  an  authorization.  For  instance,  requiring  a  signature 
on  the  notice  of  information  of  practices  indicates  diat  it  contains  important  material  which 
requires  the  individual's  consideration.  Requiring  a  signature  makes  it  more  likely  that  the 
individual  has  actually  read  the  notice.  Furthemiore,  reading  and  signing  the  notice  of 
information  practices,  like  the  signing  of  an  authorization,  can  define  an  "initial  moment"  in 
which  patients  are  educated  and  provided  with  the  opportunity  to  raise  questions  about  privacy 
concems. 

There  is  some  precedent  for  imposing  a  signature  requirement  At  least  one  state  has  included  in 
its  comprehensive  health  privacy  law  a  requirement  that  covered  entities  make  a  reasonable 
effort  to  obtain  a  signed  acknowledgment  that  the  individual  has  read  the  notice  of  infomiation 
practices.  See  Haw.  Rev.  Stat.  Secs.323C-13  and  323C-22. 

Similarly,  Hawaii's  comprehensive  privacy  law  provides  a  potential  solution  to  the  issue  of  how 
health  plans  would  obtain  signed  acknowledgments.  Hawaii  requires  that  health  plans  make 
"reasonable  efforts  to  obtain  the  individual's  signature  on  the  notice  of  confidentiality  practices." 
"Reasonable  efforts"  may  include  but  are  not  limited  to  requiring  the  employer  to  present  the 
notice  to  the  individual  and  to  request  a  signature,  or  mailing  the  notice  to  the  individual  with 
instructions  to  sign  and  retum  the  notice  within  a  specified  period  of  time.  See  Haw.  Rev.  Stat 
Sec.  323C-22. 


2.       REVISING  THE  NOTICE 
Recommendation: 

The  regulations  should  impose  an  objective  standard  in  determining  whether  an  entity  has  a 
compelling  reason  for  altering  its  information  practices  before  it  provides  notice  of  such  changes. 

Rationale: 

Under  the  proposed  regulations,  a  covered  entity  generally  may  not  change  its  information 
practices  until  after  it  has  made  the  sqjpropriate  changes  to  its  notice  of  information  practices. 
Section.  164.520(g)-  However,  the  draft  rule  also  allows  a  covered  entity  to  deviate  from  the 
information  practices  specified  in  its  notice  before  the  notice  is  amended  "where  the  covered 
entity  determines  that  a  compelling  reason  exists"  to  make  such  a  use  or  disclosure.  We 
understand  an  entity's  need  for  flexibility  in  changing  its  information  practices. 
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We  are  concerned,  however,  that  the  subjective  language  of  the  regulation  may  give  an  entity  the 
unfettered  ability  to  engage  in  post  hoc  justifications  for  violations  of  its  own  information 
practices.  Under  the  regulation,  an  entity  can  decide  for  whatever  reason  it  believes  is 
"compelling"  to  change  its  practices  in  advance  of  notification.  Even  though  the  entity  is 
required  to  document  its  reasons,  the  standard  is  purely  subjective  —  i.e.,  what  the  entity 
believes.  There  is  no  objective  standard  for  reviewing  whether  the  entity  was  justified  in  its 
belief  that  it  needed  to  change  its  information  practices  before  amending  its  notice. 

This  potential  abuse  of  the  notice  provisions  can  easily  be  remedied.  We  suggest  that  the 

langtiage  of  §  164.520(gX2)  be  changed  as  follows: 

(2)  Where  the  oovwred  entity  detorminoo  that  a  compelling  reason  exists  for  a 
covered  entity  to  make  a  use  or  disclosure  or  take  another  action  permitted  under 
this  subpart  that  its  notice  and  policies  and  procedures  do  not  permit,  k  a  covered 
entity  may  make  the  use  or  disclosure  or  take  such  other  action  if: . . . 


3.       CONTENT  OF  THE  NOTICE 
Reconmeadation : 

The  regulations  should  require  that  notices  of  information  practices  include  language,  placed 
proniinently  at  the  beginning  that  clearly  notifies  the  itHiividual  of  the  general  content  of  the 
notice  such  as  the  following: 

IMPORTANT:  THIS  NOTICE  DEALS  WITH  THE  SHARING 
OF  INFORMATION  FROM  YOUR  MEDICAL  RECORDS. 
PLEASE  READ  IT  CAREFULLY. 

Ratioaale: 

Individuals  oflen  receive  a  lot  of  paperwork  at  one  rime.  One  method  of  ensuring  that  individuals 
actually  read  the  notice  of  information  practices  is  to  prominently  highlight  the  importance  of  the 
information  which  is  to  follow  in  the  notice.  See,  e.g..  Haw.  Rev.  Stat.  §  323C-13. 


These  comments  on  "Notice  of  Information  Practices"  have  been  endorsed  by  the  following 
organizations: 

American  Association  of  People  with  DisabiUties 
Association  of  Women's  Health,  Obstetric  and  Neonatal  Nurses 
Bazelon  Center  for  Mental  Health  Law 
Committee  for  Children 

Consortium  for  Citizens  with  Disabilities  Privacy  Working  Group 
Families  USA 

Federation  of  Families  for  Children's  Mental  Health 
Human  Rights  Campaign 
Justice  for  All 

Myositis  Association  of  America 
National  Association  of  People  With  AIDS 
National  Organization  for  Rare  Disorders 
National  Partnership  for  Women  and  Families 
Privacy  Rights  Qearingbouse 
Women's  Law  Project 
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ACCESS  FOR  INSPECTION  AND  COPYING 

Section  164^14    Access  of  individuals  to  protected  health  information. 

SUMMARY 

We  strongly  support  the  regulations'  giving  an  individual  the  right  to  see,  copy  and  correct  his  or 
her  health  information.  Individuals  should  have  the  hght  to  access  and  supplement  their  own 
health  information  so  that  they  can  make  informed  health  care  decisions  and  correct  errors  where 
appropriate.  Although  the  regulations  in  general  take  the  correct  approach,  there  are  a  number  of 
ways  in  which  the  right  of  access  can  be  made  more  meaningful  with  no  additional  burden  to 
covered  entities. 


1.       WHAT  ENTITIES  ARE  COVERED 
Recommendation: 

We  agree  with  the  regulations'  requiring  health  care  plans  as  well  as  health  care  providers  to 
provide  individuals  access  to  their  own  health  information  upon  request. 

Rationale: 

Some  have  suggested  that  health  care  plans  should  be  exempt  from  the  access  provisions  because 
it  would  be  unduly  burdensome  to  provide  access.  However,  it  is  important  that  individuals  be 
able  to  review  protected  health  information  maintained  by  health  plans  since  this  information  is 
used  for  making  underwriting  and  benefit  decisions.  A  recent  report  issued  by  the  California 
Cooperative  Healthcare  Reporting  Initiative  concluded  that  less  than  10%  of  the  encounter 
information  held  by  health  plans  had  complete  and  accurate  diagnosis  and  treatment  codes. 
California  Cooperative  Healthcare  Reporting  Initiative,  Completeness  and  Accuracy  of  Managed 
Care  Administrative  Data  Sets  (August  1999).  The  result  of  this  study,  although  not 
representative  of  all  health  plans,  illustrates  the  need  for  a  verification  and  correction  procedure. 


2.  DURATION  OF  THE  RIGHT  OF  ACCESS 
Recommendation: 

We  agree  with  the  proposal  that  covered  plans  and  providers  be  required  to  provide  individual 
access  for  as  long  as  the  entity  maintains  the  protected  health  information. 

Rationale: 

As  long  as  health  plans  and  providers  maintain  health  information,  they  have  the  ability  to  use 
and  disclose  that  information  without  the  individual's  consent  or  knowledge.  It  is  only  fair  that 
an  individual  who  is  the  subject  of  the  information  has  a  co-extensive  right  of  access,  including 
the  ability  to  review  documentation  of  third-parties  who  have  had  access  to  this  health 
information. 

3.  GROUNDS  FOR  DENIAL:  WHO  SHOULD  MAKE  THE  DETERMINATION 
Recommendation: 

The  decision  to  deny  an  individual's  request  for  access  to  his  h^th  information  should 
ultimately  be  made  by  a  health  care  provider  who  is  qualified  to  treat  the  patient  for  the  condition 
that  is  the  subject  of  the  health  inforaiation. 

Rationale: 

The  right  of  access  to  health  information  should  not  be  denied  lightly.  The  language  of  the 
current  regulation  would  allow  "a  licensed  health  care  professional"  to  make  this  determination- 
Because  "licensed  health  care  professional"  is  not  qualified  in  any  fashion,  professionals  would 
be  allowed  to  make  decisions  in  areas  in  which  they  have  no  training.  For  instance,  a  nurse 
trained  in  obstetrics  could  make  the  determination  to  deny  access  to  mental  health  information  on 
the  grounds  it  would  endanger  the  life  or  physical  safety  of  an  individual.  This  would  be  wrong. 
The  decision  to  deny  access  should  be  made  by  a  professional  in  the  relevant  field  of  medicine. 
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4.       GROUNDS  FOR  DENIAL:  RIGHT  TO  INDEPENDENT  REVIEW  OF  DENIAL 
Recommendation: 

The  regulations  should  provide  that  an  individual  has  the  right  to  designate  another  qualified 
health  care  professional  to  review  a  denial  of  access  to  protected  health  information. 

RatioBale: 

We  anticipate  that  most  requests  for  access  to  health  information  will  be  made  to  the  treating 
provider.  We  recognize  that  the  treating  provider  may  have  the  most  knowledge  of  the  patient 
and  should  have  some  say  in  whether  health  information  the  provider  has  received  or  created 
should  be  accessible  to  the  patient  However,  a  treating  provider's  intimate  knowledge  of  a 
patient  may  interfere  with  the  provider's  ability  to  make  an  objective  determination  whether 
access  should  be  granted.  In  fact,  in  circumstances  where  treatment  is  being  challenged,  a 
treating  provida-  may  actually  have  a  conflict  of  interest  in  making  the  determination  whether 
health  information  should  be  released  to  the  patient  An  indq>endent  review  is  necessary  in  order 
to  ensure  that  denials  of  access  are  made  on  appropriate  grounds.  Of  course,  it  would  be  ideal  to 
have  judicial  review  of  the  denial  of  access.  Since  providing  judicial  review  is  not  possible 
throu^  these  regulations,  providing  an  independent  layer  of  review  may  be  the  most  that  can  be 
accomplished  at  this  point 

An  independent  review  can  be  a  fiairly  straight-forward  process.  Most  states  that  have  access 
laws  provide  a  mechanism  by  which  an  individual  may  designate  a  second  health  care 
professional  to  review  the  original  denial  of  a  request  for  access  to  medical  records.  See.  e.g.. 
Ark.  Code  Ann.  Sec.  16-46- 106(b)  (when  denied  access  to  medical  records,  a  patient  may 
designate  another  doctor  to  review  the  files  and  to  make  the  final  determination  whe&er  to 
release);  R-L  Gen.  Laws  Sec.  5-37-25;  Wyo.  Stat  Ann.  Sec.  35-2-612;  Wash.  Rev.  Code  Ann. 
Sec.  70.02.090  (when  a  physician  denies  a  patioit  access  to  health  care  information,  the 
infonnation  must  be  disclosed  to  another  physician  designated  by  the  patient);  D.C.  Code  Ann.  § 
6-2043  (denial  of  mental  health  records  are  reviewed  by  an  independent  mental  health 
professional). 

We  believe  this  approach  provides  an  important  additional  layer  of  protection  for  health  care 
consumers.  Additionally,  this  proposed  independent  third-party  review  of  access  issues  may 
reduce  the  number  of  complaints  filed  with  the  HMS,  thereby  decreasing  the  administrative 
burden  on  the  agoKy. 


5.  GROUNDS  FOR  DENIAL:  ACCESS  SHOULD  NOT  BE  CONDITIONED  ON 
PAYMENT  FOR  TREATMENT 

Reconiniendadon : 

The  regulations  should  expressly  state  that  a  covered  provider  may  not  deny  an  individual  access 
to  his  protected  health  infonnation  because  of  an  unpaid  bill  for  health  care  services. 

RatioBale: 

An  individual's  right  to  see  and  copy  his  own  health  information  should  not  be  contingent  on  his 
payment  for  medical  services.  Questions  about  the  treatment  or  the  charges  for  the  treatment,  in 
£act,  may  be  the  basis  for  requesting  the  infomiation.  The  prohibition  against  conditioning  access 
to  health  information  on  the  payment  of  an  unpaid  medical  bill  is  supported  by  the  American 
Medical  Association's  Code  of  Medical  Ethics  which  provides  that  "medical  reports  should  not 
be  withheld  because  of  an  impaid  bill  for  medical  services."  AMA  Code  of  Ethics,  Opinions  on 
Physician  Records,  E-7.02.  Some  states  have  incorporated  this  principle  in  their  health  privacy 
laws.  See.  e.g.,  Md.  Code  Ann.  Health  -  Gen.  §  4-309;  S.C.  Code  Ann.  §  44-1 15-70;  Ca.  Health 
&  Safety  Code  §  123100  (which  prohibit  providers  fmm  withholding  medical  records  firom  a 
patient  because  of  unpaid  bills  for  health  care  services.) 

6.  PROCEDURES  TO  EFFECT  RIGHT  OF  ACCESS:  TRANSLATION  OF  CODES 
Recommendation : 

The  regulations  should  require  that  covered  entities  provide  an  explanation  in  plain  language  of 
any  code  or  abbreviation  used  in  the  requested  health  information  upon  the  individual's  request 
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Rationale: 

Some  covered  entities  maintain  protected  health  inforaiation,  such  as  dii^osis  and  treatment,  in 
coded  form,  which  is  unfamiliar  to  most  individuals.  Other  covered  entities  often  use  standard 
abbreviations  for  health  information.  For  most  individuals,  this  information  would  be  useless 
unless  it  is  translated  into  plain  language.  This  translation  reqxiirement  is  an  established 
requirement  in  laws  promoting  fair  information  practices.  The  Privacy  Act  requires  government 
agencies  to  provide  requested  records  to  an  individual  "in  a  form  comprehensible  to  him."  5 
U.S.C.A.  Sec.  552a(d).  Similarly,  both  the  Uniform  Insurance  Information  and  Patient 
Protection  Act,  adopted  by  16  states,  and  the  Uniform  Health-Care  Information  Act,  adopted  by 
4  states,  impose  such  a  translation  requirement  See  e.g.,  Mont.  Code  AniL  Sec.  50-16-541 
(health  care  provider  must  provide  an  explanation  of  any  code  or  abbreviation  used  in  requested 
health  records  upon  request);  Wyo.  Stat  Aim.  Sec.  35-2-61 1  (same  for  hospitals);  Wash.  Rev. 
Code  Ann-  Sees.  70.02.080,  71.05.395,  70.02.902  (must  provide  an  explanation  of  any  code); 
N.C.  Gen.  Stat  Sec.  58-39-45(a)  (insurance  entity  maintaining  information  in  coded  form  must 
provide,  in  writing,  an  accurate  translation  in  plain  language). 


7.  PROCEDURES  TO  EFFECT  RIGHT  OF  ACCESS:  NOTIFICATION  OF 
WHERE  INFORMATION  IS  iMAINTAINED 

Recommendation: 

Covered  entities  should  be  required  to  inform  the  individual  of  the  name  and  address,  if  known, 
of  the  entity  that  maintains  the  requested  health  information  if  die  covered  entity,  itself,  does  not 
maintain  the  health  informatioiL 

Rationale: 

It  can  be  difficult  for  an  individual  to  determine  where  his  health  information  is  maintained, 
particularly  where  several  providers  have  been  involved  in  a  patient's  care.  Locating  health 
information  should  not  be  a  guessing  game.  To  the  extent  the  covered  entity  knows  the  correct 
location  of  the  information,  the  covered  entity  should  be  required  to  provide  this  information  to 
the  requesting  individual.  The  Uniform  Insurance  Information  and  Patient  Protection  Act, 
adopted  by  16  states,  ahready  imposes  this  notification  requirement  on  insurance  entities. 

8.  ACCESS  TO  RESEARCH  INFORMATION 

(See  Comments  filed  under  ^Research  -  Patient  Access**) 


9.  PROTECTING  MINORS  AND  OTHER  VULNERABLE  PEOPLE  FROM  HARM 
Recommendation : 

Out  of  concem  for  protecting  minors  (as  well  as  older  people,  incapacitated  or  incompetent 
people,  and  others)  from  abuse  by  their  parents,  guardians,  or  other  legal  representatives,  we 
suggest  that  the  rule  vest  covered  entities  with  broader  discretion  to  deny  access  to  protected 
health  information  in  certain  circiunstances. 

Rationale: 

Section  164.514(bXi)  of  the  proposed  rule  permits  a  covered  entity  to  deny  an  individual  access 
to  protected  health  information  whenever 

(i)  A  licensed  health  care  professional  has  determined  that,  in  the  exercise  of 
reasonable  judgment,  the  inspection  and  copying  requested  is  reasonably  likely  to 
endanger  the  life  or  physical  safety  of  the  individual  or  another  person,  (page 
60060) 

The  Department  offers  compelling  reasons  for  permitting  a  denial  of  access  only  in  the  narrow 
circumstances  when  a  person's  life  or  physical  safety  would  otherwi^  be  at  risk,  but  these 
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reasons  pertain  only  to  a  situation  in  which  the  individual  requesting  access  is  also  the  subject  of 
the  protected  health  information.  Thus,  the  Department  cites  the  example  of  a  health  care 
provider  who  reasonably  determines  that  certain  information  about  a  suicidal  or  homicidal 
individual  should  be  withheld  from  that  individual  to  avoid  triggering  violence.  The  Department 
notes,  however,  that  the  presumption  in  favor  of  access  is  so  strong  when  an  individual  seeks 
health  information  about  him-  or  herself  that  the  risk  of  psychological  or  emotional  harm  should 
not  be  enough  to  justify  a  denial  of  access. 

The  balance  shifts,  however,  when  a  person  —  acting  as  a  parent,  guardian,  other  person  acting 
in  loco  parentis,  or  legal  representative,  in  accordance  with  section  164.504  —  seeks  access  to 
the  protected  health  information  of  another.  In  that  case,  the  imperative  is  to  protect  the  life, 
physical  safety,  and  emotional  and  psychological  safety  of  the  vutoerable  person  who  is  the ' 
subject  of  the  protected  health  information.  Thus,  health  care  professionals  who  treat  victims  of 
child  abuse,  elder  abuse,  and  other  forms  of  domestic  violence  should  have  broad  discretion  to 
withhold  information  about  these  individuals  from  those  who  the  professional  reasonably 
believes  may  harm  the  patient  Such  discretion  is  especiaUy  critical  when  the  patient  has 
revealed  the  abuse  and  physical  or  emotional  retaUation  by  the  abuser  is  a  real  possibiUty. 

As  we  read  the  proposed  rule,  this  situation  is  not  covered  by  section  164.514(b)(ii),  which 
allows  a  covered  aitity  to  deny  access  whenever 

(ii)  The  information  is  about  another  person  (other  than  a  health  care  provider) 
and  a  licensed  health  care  professional  has  determined  that  the  inspection  and 
copying  requested  is  reasonably  likely  to  cause  substantial  harm  to  such  other 
persoiL 

The  Dq)artment's  explanation  of  this  provision  suggests  that  it  governs  access  to  the  individual's 
own  health  information  when  diat  information  makes  reference  to  another  person.  As  explained 
in  the  preamble  (p.  59982),  die  Department's  particular  and  legitimate  concern  seems  to  be  the 
situation  in  which  "[ijnformation  about  a  third  party  may  appear  in  an  individual's  records 
unbeknownst  to  the  individual,''  and  an  unauthorized  disclosure  about  this  third  party  should  be 
avoided  if  it  threatens  harm. 

To  differentiate  among  these  three  situations,  and  to  provide  appropriate  discretion  to  deny 
access  in  each  one,  we  recommend  the  revision  of  subsections  1 64.5 1 4{bXi)  and  (ii)  and  the 
addition  of  a  new  section  (iii),  as  shown  below. 

1.  Revise  sections  164.514(bXi)  and  (ii)  and  add  a  new  section  (iii): 

(b) .  . .  [A]  covered  entity  may  deny  a  request  for  access  under  paragraph  (a)  of 
this  section  where: 

(i)  The  individual  seekine  access  is  the  subject  of  the  protected  health 
information,  and  a  licensed  health  care  professional  has  detennined  that,  in  the 
exercise  of  reasonable  professional  judgment,  the  inspection  and  copying 
requested  is  reasonably  hkely  to  endanger  the  life  or  physical  safety  of  the 
individual  or  anotiier  person; 

(ii)  The  individual  seddnp  access  is  the  subject  of  the  protected  health 
informatioiL  but  that  ^  information  makes  reference  to  is  about  another  person 
(other  than  the  individual's  a  health  care  provider),  and  a  licensed  health  care 
professional  has  detennined  that,  in  the  exercise  of  reasonable  professional 
judgment  die  inspection  and  copying  requested  is  reasonably  likely  to  cause 
substantial  harm  to  such  other  person; 

(iii)  The  individual  seeking  access  is  not  the  subject  of  the  protected  healtii 
information  but  is  instead  a  parent  guardian,  person  acting  in  loco  parentis,  or 
legal  representative,  in  accordance  with  section  164.504.  and  a  licensed  health 
care  professional  has  determined  that  in  the  exercise  of  reasonable  professional 
judgment  the  inspection  and  copying  requested  is  reasonably  likelv  to  cause  hami 
to  the  person  who  is  die  subject  of  the  i»otected  health  information  or  to  another 
persorL 
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(The  other  subsections  of  section  164.514(b)  would  have  to  be  renumbered  accordingly.) 

Our  suggested  revisions  and  addition  are  meant  to  clarify  the  rale  and  to  provide  essential  extra 
protection  to  those  vuhierable  people  who  depend  on  others  to  exercise  their  rights  under  the 
rule,  but  who  must  be  shielded  from  abuse  by  those  who  are  given  the  power  to  act  in  their  stead. 


These  comments  on  '^Access  for  Inspection  and  Copying"  have  been  endorsed  by  the  following 
organizations: 

American  Association  of  People  with  DisabiUties 
Association  of  Women's  Health,  Obstetric  and  Neonatal  Nurses 
Bazelon  Center  for  Mental  Health  Law 
Committee  for  Children 

Consortium  for  Citizens  with  DisabiUties  Privacy  Working  Groiq> 
Families  USA 

Federation  of  Families  for  Children's  Mental  Health 

Human  Rights  Campaign 

Justice  for  All 

Legal  Action  Center 

Myositis  Association  of  America 

National  Association  of  People  With  AIDS 

National  Organization  for  Rare  Disorders 

National  Parmership  for  Women  and  Families 

Privacy  Rights  Clearinghouse 

WcMnai's  Law  Project 

ACCOUNTING  OF  DISCLOSURES 


Section  164.515       Accoanting  for  disclosures  of  protected  health  infonnatioa. 
SUMMARY 

We  commend  the  Secretary  for  granting  an  individual  the  right  to  obtain  an  accounting  of 
disclosures  that  have  been  made  of  protected  health  information.  An  individual  should  be  able  to 
find  out  who  has  seen  his  or  her  health  information  and  for  what  purpose.  We  believe  this  right 
of  access  should  extend  to  a  full  audit  trail  where  one  exists. 


Recommendation: 

Individuals  should  have  the  right  to  review  the  fiill  audit  trail  documenting  who  has  had  access  to 
their  protected  medical  information. 

Rationale: 

The  proposed  Security  Standards  would  require  covered  entities  to  put  into  place  audit  trails  as  a 
means  of  policing  access  to  the  protected  health  information  maintained  in  their  systems.  To  the 
extent  a  fUlI  audit  trail  documenting  who  has  had  access  to  an  individual's  protected  health 
information  exists,  it  should  be  made  available  to  the  individual  upon  request.  This  practice  is 
useful  in  detecting  alleged  violations  of  confidentiality.  The  provision  of  a  full  audit  trail  can  also 
help  reduce  patients'  suspicions  and  provide  the  motivation  for  organizations  to  develop  strong 
measures  for  protecting  patient  infomiation.  National  Research  Council,  For  the  Record: 
Protecting  Electronic  Health  hiformation  (1997)  pp.  137-138. 

The  proposed  regulations  would  only  provide  access  to  a  small  portion  of  an  audit  trail,  Le., 
those  disclosures  made  by  a  covered  entity  for  purposes  other  than  treatment,  payment,  and 
health  care  operations.  The  regulations  take  this  approach  on  the  grounds  that  this  is  the  portion 
that  most  people  would  be  interested  in  and  that  to  provide  for  a  fiill  accounting  would  be 
burdensome.  We  disagree  with  this  rationale.  Since  the  audit  trail  will  already  exist  for  electronic 
records  it  would  be  fairly  easy  to  provide  upon  request  Furthermore,  the  individuals  who  would 
have  an  interest  in  reviewing  this  information  would  need  to  review  the  full  audit  trail,  not  just 
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that  portion  that  pertains  to  infonnation  that  is  shared  with  persons  outside  the  covered  entity  for 
purposes  other  than  treatment,  payment  and  health  care  operations.  The  source  of  an  improper 
disclosure  of  or  imauthorized  access  to  protected  medical  information  is  just  as  likely  to  be 
within  a  covered  entity.  (A  recent  example  is  the  Emory  University  nurse  who  claims  she  was 
terminated  after  her  supervisor  improperly  accessed  her  medical  records  without  her  consent  and 
discovered  she  was  suffering  from  depression.) 

We  are  particularly  concerned  about  the  interrelation  of  the  accounting  provisions  with  the 
provisions  allowing  (or  requiring)  disclosures  of  protected  health  information  without  individual 
authorization  for  treatment,  payment  and  health  care  purposes.  See  section  164.506.  By 
prohibiting  the  use  of  authorizations  for  treatment,  payment  and  health  care  operations,  the  draft 
regulations  allow  the  free-flow  of  health  information  for  these  purposes  without  any  input  from 
the  individual.  By  excluding  disclosures  made  for  treatment,  payment  and  health  care  purposes 
from  the  accounting  provisions,  the  regulations  also  take  away  from  the  individual  the 
mechanism  by  which  the  individual  could  verify  that  thae  has  not  been  an  abuse  of  this  free- 
floating  system.  Essentially,  the  regulations  allow  this  protected  health  information  to  be  used 
and  disclosed  for  treatment  and  payment  purposes  without  any  accountability  to  the  individual 
who  is  the  subject  of  the  information.  We  believe  such  a  system  is  woefully  inadequate. 


These  cormnents  on  "Accounting"  have  been  endorsed  by  the  following  organizations:  ^ 

American  Association  of  People  with  DisabiUties 
Association  of  Women's  Health,  Obstetric  and  Neonatal  Nurses 
Bazelon  Center  for  Mental  Health  Law 
Committee  for  Children 

Consortium  for  Citizens  with  DisabiUties  Privacy  Working  Grotq) 
Families  USA 

Federation  of  Famihes  for  Children's  Mental  Health 

Human  Rights  Campaign 

Justice  for  All 

Legal  Action  Center 

Myositis  Association  of  America 

National  Association  of  People  With  AIDS 

National  Organization  for  Rare  Disorders 

National  Partnership  for  Women  and  Families 

Privacy  Rights  Clearin^ouse 

Women's  Law  Project 

AME>a)MENT  OR  CORRECTION 
Section  164^16        Amendment  and  correctioa. 

SUMMARY  . 

The  proposed  regulations  rightly  provide  an  individual  with  the  right  to  request  an  amendmrat  or 
correction  of  health  information.  This  is  an  important  consumer  right  which  allows  an  mdmdual 
to  ensure  that  recorded  health  information  which  is  relied  on  not  only  for  treatment  purpose,  but 
also  for  insurance  and  other  purposes,  is  complete  and  accurate.  However,  we  believe  that  the 
regulations  should  more  closely  follow  the  rights  afforded  in  other  federal  privacy  stamtes  such 
as  the  Privacy  Act  and  the  Fair  Credit  Reporting  Act. 


1.        GROUNDS  FOR  DENIAL 

Recommendation:  . 

A  covered  entity  should  not  be  aUowed  to  deny  a  request  for  amendment  or  correction  solely  on 
the  basis  that  it  did  not  create  the  information. 
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Rationale: 

The  proposed  regulations  perniit  a  covered  entity  to  deny  a  request  for  amendment  or  correction 
on  the  grounds  that  the  information  was  not  created  by  the  covered  entity.  The  effect  of  this 
regulation  is  that  only  the  creator  of  the  health  information  in  dispute  has  an  obligation  to  correct 
or  amend  it.  We  note  at  the  outset  that  no  such  restriction  is  imposed  in  other  laws  based  on  fair 
infonnation  practices  such  as  the  Fair  Credit  Reporting  Act  or  in  the  Uniform  Insurance 
Information  and  Privacy  Protection  Act.  ITiere  is  oo  need  for  such  a  requirement  in  the  present 
regulations. 

Furthermore,  the  proposed  regulation  fails  to  take  into  account  the  fact  that  there  may  come  a 
time  when  the  creator  of  the  information,  the  only  entity  responsible  for  making  corrections, 
ceases  to  exist.  For  instance,  in  recent  years,  many  health  maintenance  organizations  have  gone 
out  of  business.  The  right  of  the  individual  to  have  health  infomiation  corrected  should  not  be 
extinguished  with  the  demise  of  the  creator  of  the  information.  (Of  course,  this  scenario  raises 
the  larger  question  of  how  to  assure  continuity  of  care  and  record  maintenance,  which  we 
understand  is  probably  beyond  the  scope  of  the  current  regulations.)  If  a  covered  entity  is  able  to 
determine  the  accuracy  or  completeness  of  health  information  from  the  materials  provided,  the 
entity  should  make  the  correction  or  amendment.  The  provision  that  allows  a  covwed  entity  to 
deny  a  request  to  amend  solely  on  the  basis  that  the  entity  did  not  create  the  information  should 
be  deleted.  Recognizing  that  there  will  be  times  that  a  covered  entity  may  not  be  able  to  verify 
the  accuracy  of  a  requested  correction  or  amendment,  we  suggest  that  the  language  of  Sec. 
164.5 16(i)  be  amended  as  follows: 

Was  not  created  by  the  covered  entity  and  the  covered  entity  carmot  reasonably  determine 
whether  the  information  is  accurate  or  complete. 

2.       BUSINESS  PARTNERS'  DUTY  TO  AxMEND 
Recommendation: 

The  regulations  should  provide  that  the  written  contract  between  a  covered  health  provider  or 
health  plan  and  a  business  parmer  must  require  the  business  partner  to  correct  or  amend 
protected  health  information  in  accordance  with  section  164.516. 

Rationale: 

Section  164.516(a)(1)  of  the  proposed  regulations  grants  an  individual  the  right  to  request  a 
covered  entity  that  is  a  health  plan  or  health  care  provider  to  amend  or  correct  protected  health 
informatiorL  The  regulation  then  allows  a  covered  entity  to  deny  a  request  for  amendment  or 
correction  on  the  grounds  that  the  information  was  not  created  by  the  covered  entity.  Section 
164.516(a)(2).  A  problem  arises  when  an  error  occurs  at  a  business  parmer,  such  as  a  billing 
service.  For  instance,  a  business  partner  can  erroneously  code  an  individual's  health  informatioiL 
When  the  error  occurs  at  the  business  partaer  no  coverai  entity  "created"  the  erroneous 
information.  The  health  provider's  information  is  accurate  so  it  can  deny  the  request  to  amend  or 
correct.  The  health  plan  did  not  create  the  erroneous  information  so  it  also  has  grounds  to  deny 
the  request  to  correct  And  the  business  partner  is  not  a  covered  entity  and  is  not  encompassed  by 
section  164.516(a).  This  regulatory  scheme  effectively  creates  a  gap  in  an  individual's  right  to 
have  erroneous  health  information  corrected. 

The  current  provisions  of  section  164.506(e)  do  not  remedy  this  situatiotL  Under  the  proposed 
regulations,  a  covered  entity's  contract  with  a  business  partner  must  contain  a  clause  requiring 
the  business  partner  to  incorporate  any  amendments  or  corrections  to  protected  health 
information  made  by  a  covered  entity  when  notified  of  the  changes.  However,  there  is  no 
requirement  that  a  business  parmer  correct  or  amend  protected  health  information  where  the 
business  partner  creates  the  erroneous  health  information  in  the  first  instance.  In  order  to 
eliminate  this  potential  gap,  the  covo-ed  entity's  written  contract  should  require  business  partners 
to  correct  or  amend  information  at  the  individual's  request  pursuant  to  section  164.516.  As  a 
practical  matter,  individuals  have  frequent  contact  witii  some  business  partners,  such  as  billing 
services.  The  billing  service  is  often  given  as  the  point  of  contact  on  a  patient's  bill  from  a  health 
care  provider.  It  makes  sense  for  the  patient  to  be  able  to  request  the  business  partner,  such  as  the 
billing  service,  to  correct  erroneous  information  it  generated.  Since  the  regulations  can  not 
impose  this  requirement  directly  on  business  partners,  they  should  do  so  indirectly  through  the 
covered  entity's  contractual  provisions. 
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3.  NOTIFICATION  OF  STATEMENT  OF  DISAGREEMENT 
RecoBunentUtion: 

A  covered  entity  that  denies  an  individual's  request  to  correct  or  amend  his  health  information 
should  be  required  to  provide  the  individual's  statement  of  disagreement  to  previous  recipients  of 
the  disputed  health  care. 
Ratioaak: 

A  statement  of  disagreement  filed  in  response  to  a  denial  of  a  request  to  amend  health 
informatioa  should  be  afforded  the  same  treatment  as  an  agreed-to  correction.  Under  the 
proposed  regiilations,  a  statement  of  disagreement  is  only  provided  with  future  disclosures  of  the 
contested  information.  In  contrast,  notification  of  correction  is  provided  both  to  cotain  previous 
recipients  of  erroneous  health  information  and  in  future  disclosures.  There  is  not  a  good 
justification  for  the  differait  treatment  In  both  cases  the  previous  recipient  may  have  relied  on 
the  contested  health  information  to  the  detriment  of  the  individual  The  previous  recipient  should 
be  fiilly  informed  that  the  health  information  is  disputed  and  the  resolution  of  the  dispute.  See 
e,g.,  Mont  Code  Ann.  Section  50-16-543  (requiring  that  a  patient's  statement  of  disagreement  be 
sent  to  previous  recipients  of  die  disputed  healA  care  information  upon  request);  Md.  Code  Aim. 
Health  -  Gen.  Section  4-304(b)  (requiring  a  health  care  provider  to  give  a  copy  of  a  statement  of 
disagreement  to  previous  recipients  of  the  disputed  medical  record). 

4.  NOTIFICATION  OF  REBUTTAL  STATEMENT 
ReconmiendatioB . 

In  the  event  a  health  care  plan  or  health  care  provider  intends  to  provide  a  rebuttal  statement  to  a 
an  individual's  statement  of  disagreement,  the  covered  entity  should  be  required  to:  1)  notify  the 
individual  that  it  intends  to  provide  such  a  rd>uttal  statement  and  2)  provide  a  copy  of  the 
rebuttal  statement  to  the  iiKlividuaL 

Rationale: 

The  individual  should  be  fully  informed  of  the  ultin!iate  resolution  of  a  request  to  amend  or 
correct  health  information.  See  e.g.,  1999  Me.  Laws  512  Sec.  Ax3,  (if  a  practitioner  adds  a 
statement  in  response  to  the  submitted  clarification  or  correction,  the  practitioner  must  provide  a 
copy  of  that  statement  to  the  patient). 


These  comments  on  "Amendment  or  Correction"  have  been  endorsed  by  the  following 
organizations: 

American  Association  of  People  with  Disabilities 
Association  of  Women's  Health,  Obstetric  and  Neonatal  Nurses 
Bazelon  Center  for  Mental  Health  Law 
Committee  for  Children 

Consortium  for  Citizais  wifli  Disabilities  Privacy  Working  Group 
Families  USA 

Federation  of  Families  for  Children's  Mental  Healtii 

Human  Rights  Campaign 

Justice  for  All 

Legal  Action  Center 

Myositis  Association  of  America 

Kadooal  Associalioa  of  People  With  AIDS 
National  Organizatioa  for  Rare  Disorders 
National  Partnership  for  Women  and  Families 
Privacy  Rights  Clearinghouse 
Women's  Law  Project 
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SAFEGUARDS 

Section  164^18(c)  Safeguards. 

SUMMARY 

We  strongly  agree  with  the  proposed  regulations'  requiring  covered  entities  to  put  into  place 
administrative,  technical,  and  physical  safeguards  to  protect  against  the  improper  use  or 
disclosure  of  protected  health  information.  Procedures  for  verifying  the  identity  of  a  person  or 
organization  that  requests  information  would  help  prevent  improper  disclosures.  We  believe  that 
the  verification  requirement  should  apply  to  ail  requests  for  health  information  originating 
outside  of  the  covered  entity  where  the  covered  entity  does  not  regularly  do  business  with  the 
requesting  entity.  We  also  support  the  general  requirements  of  die  internal  complaint  process. 
Specifically,  we  agree  that  it  is  important  that  the  covered  entity  must  keep  a  record  of  the 
complaints  with  a  "brief  explanation  of  the  resolution."  We  also  support  the  regulatory  scheme 
that  allows  a  complaint  to  be  filed  with  the  Secretary  at  any  time,  even  if  an  internal  complaint  is 
pending.  However,  we  believe  that  it  is  important  to  provide  a  time  limit  and  other  specific 
procedures  for  implementing  the  internal  complaint  procedure. 


1.       VERinCATION  OF  mENTITY  OF  REQUESTERS  OF  INFORMATION 
Recommendation: 

The  regulations  should  expressly  require  that  the  verification  requirements  of  section  164.518(c) 
apply  to  disclosures  of  protected  health  information  for  treatment,  payment  and  health  care 
operations  purposes. 

Rationale: 

Under  proposed  section  164.506,  it  appears  that  providers  are  permitted  to  disclose  protected 
health  information  to  other  providers  for  consultation  or  referral  without  verifying  the  identity  of 
the  provider  who  has  requested  protected  information.  Because  providers  who  disclose  to  other 
providers  for  consultation  or  referral  purposes  are  not  subject  to  the  business  partner  rules  in 
section  164.506(e)  and  covered  entities  are  prohibited  from  obtaining  individual  authorizations 
under  section  164.506  (see  p.  59941),  providers  are  given  blanket  authority  to  disclose  protected 
health  information  for  treatment,  payment  and  health  care  operations  about  a  patient  without 
knowing  whether  the  person  who  has  requested  the  information  is  actually  who  they  represent 
they  are  and  whether  they  are  treating  that  particular  patient  or  have  another  valid  reason  for 
requesting  the  patient's  records.  We  recommend  that  the  verification  procedures  set  forth  in 
section  164.518(c)  apply  to  uses  and  disclosures  for  treatment,  payment  and  health  care 
operations. 

Section  164.518(c)  generally  requires  covered  entities  to  have  adequate  procedures  for  verifying 
that  the  individual  or  person  making  the  request  for  protected  health  infonnation  has  the 
appropriate  identity  for  the  use  or  disclosure  requested,  except  in  specified  circumstances.  The 
Secretary's  explanation  of  the  regulation  indicates  that  for  most  categories  of  permitted 
disclosures,  when  the  request  for  disclosure  of  protected  health  information  is  from  a  person  with 
whom  the  covered  entity  does  not  routinely  do  business,  the  covered  entity  would  be  required  to 
verify  the  identity  of  the  requestor.  It  is  clear  from  the  language  of  section  164.518(c)  and  the 
Secretary's  explanation  of  this  provision  that  the  verification  procedure  was  intended  to  apply  to 
section  164.510  requests  (made  pursuant  to  the  "public  policy"  uses  and  disclosures  permitted 
without  individual  authorization).  Furthermore,  section  164.510(a)(1)  itself  expressly 
incorporates  this  verification  requirement  and  requires  covered  entities  to  coniply  with  any 
sq)plicable  verification  requirements  under  section  164.518(c)  as  a  condition  of  using  or 
disclosing  protected  health  information  without  the  individual's  authorization. 

In  contrast,  it  is  unclear  whether  these  verification  procedures  apply  to  section  164.506  requests 
(made  pursuant  to  the  provisions  allowing  use  and  disclosure  for  treatment,  payment  and  health 
care  operations  without  individual  authorization),  even  where  the  request  for  information 
originates  from  an  unfamiliar  source  outside  the  covered  entity.  The  language  of  section 
164.518(c)  is  general  and  somewhat  ambiguous.  The  Administration's  explanation  of  section 
164.518(c),  while  general  enough  to  encompass  section  164.506  uses  and  disclosures,  does  not 
directly  address  uses  and  disclosures  for  treatmoit,  payment  and  health  care  operations. 
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Furtfiennore,  unlike  section  164.510,  section  164.506  does  not  expressly  incorporate  the 
verification  requirements  under  section  164.518.  Consequently,  it  is  at  least  arguable  that  the 
regulations  do  not  impose  the  164.518  verification  requirements  on  164.506  disclosures  even 
when  the  request  originates  fix>m  an  umamiliar  source  outside  the  covered  entity. 

Although  the  rules  in  section  164.506(e)  would  afford  some  protection  for  disclosures  to 
business  partners  by  requiring  contracts  that  ensure  that  the  business  partner  will  safeguard 
information  that  it  receives,  these  rules  expressly  exclude  disclosures  fi-om  provider  to  provider 
for  consultation  or  referral  purposes.  In  simi,  there  appear  to  be  no  verification  rules  or  other 
checks  on  provider  to  provider  disclosures  under  section  164.506. 

Presumably,  the  Secretary  considers  provider  to  provider  uses  and  disclosures  for  consultation  or 
referral  to  pose  less  of  a  risk  of  unwarranted  disclosure  than  other  uses  and  disclosures.  We 
believe,  however,  that  provider-to-provider  disclosures  for  consultation  and  refeaal  can  pose  a 
significant  risk  of  unwarranted  disclosure.  Consider  this  scenario:  a  woman  seeks  specialized 
treatment  for  reproductive  health  services,  or  mental  health  services.  If  another  provider  requests 
information,  the  provider  who  rendered  the  services  would  not  have  to  consult  the  patient  before 
the  disclosure  or  even  verify  who  has  requested  the  informatioiL  Of  particular  concern  is  that 
this  loophole  would  be  used  by  people  who  are  not  providers  to  obtain  information  under  false 
pretenses  on  patients. 

While  providers  may  argue  that  the  requirements  of  164.5 18(c)  create  additional  administrative 
burdens,  we  beUeve  that  these  verification  procedtires  are  reasonable,  and  the  only  situation  in 
which  providers  would  have  additional  administrative  burdens  is  when  the  identity  of  the 
provider  requestint,  the  information  is  unknown-where  the  risk  of  inappropriate  disclosure  is  the 
greatest.  Those  providers  tfiat  have  ongoing  relationships  would  obviously  know  the  requestor 
and  not  be  required  to  conduct  additional  verification. 

We  recommend  that  section  164.506(a)  be  amended  as  follows: 

(a)  Standard.  A  covered  entity  may  not  use  or  disclose  an  individual's  protected 
health  information,  except  as  otherwise  permitted  or  required  by  this  part  or  as 
required  to  comply  with  applicable  requirements  of  this  subchapter.  In  using  or 
disclosing  protected  health  information  under  this  section  a  covered  entity  must 
comply  with  applicable  verification  requirements  under  section  164.518fc). 


2.       INTERNAL  COMPLAINT  PROCESS 
Recommendation : 

Section  1 64.5 1 8  should  be  amended  to  require  that  due  process  be  utilized  in  processing 
complaints. 

Rationale: 

The  draft  regulation  requires  that  individuals  receive  notice  of  a  contact  person  within  the 
covered  entity  who  is  designated  to  receive  complaints.  Sections  164.518(a)(2)  and  (d)  permit 
individuals  to  submit  complaints  to  the  covered  entity.  We  urge  that  this  section  be  bolstered  by 
requiring  some  element  of  due  process  to  ensure  that  once  the  complaint  is  filed,  the  covered 
entity  must  hear  resolve  the  complaint  by  a  certain  time,  and  if  requested,  there  should  be  an 
appeals  process  if  the  determination  is  unfavorable  to  the  individual. 


These  comments  on  "Safeguards"  have  been  endorsed  by  the  following  organizations: 

American  Association  of  People  with  Disabilities 
Association  of  Women's  Health,  Obstetric  and  Neonatal  Nurses 
Bazelon  CentCT  for  Mental  Health  Law 
Committee  for  CJhildrett 
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Consortium  for  Citizens  witii  Disabilities  Privacy  Woridng  Group 
Families  USA 

Federation  of  Families  for  Children's  Mental  Health 

Human  Rights  Campaign 

Justice  for  All 

Legal  Action  Center 

Myositis  Association  of  America 

National  Association  of  People  With  AIDS 

National  Organization  for  Rare  Disorders 

National  Partnership  for  Women  and  Families 

Privacy  Rights  Clearinghouse 

Women's  Law  Project 

SANCTIONS 

Section  164.518(e)    Sanctions:  standard. 

We  support  that  covered  entities  are  required  to  develop  and  apply  internal  sanctions  for  their 
own  failure  to  comply  with  the  regulations. 


These  cormnents  on  "Sanctions"  have  been  endorsed  by  the  following  organizations: 

American  Association  of  People  with  Disabihties 
Association  of  Women's  Health,  Obstetric  and  Neonatal  Nurses 
Bazelon  Center  for  Mental  Health  Law 
Conunittee  for  Children 

Consortium  for  Citizens  with  Disabilities  Privacy  Woricing  Group 
Families  USA 

Federation  of  Families  for  Children's  Mental  Health 

Human  Rights  Campaign 

Justice  for  All 

Legal  Action  Center 

Myositis  Association  of  America 

National  Association  of  People  With  AIDS 

National  Organization  for  Rare  Disorders 

National  Partnership  for  Women  and  Families 

Privacy  Rights  Clearinghouse 

Women's  Law  Project 

RELATIONSfflP  TO  STATE  LAWS 

Section  160.201  Applicability. 

Section  160.202  Definitions. 

Section  160.203        General  rule  and  exceptions. 

SUMMARY 

We  strongly  support  the  approach  in  HIPAA  and  the  proposed  regulations  that  the  federal 
privacy  regulations  will  act  as  a  floor,  but  not  a  ceiling,  on  privacy  protections  afforded  by  the 
States.  Under  this  approach,  weaker  State  health  privacy  laws  are  preempted  (or  overridden) 
while  State  laws  that  offer  more  protection  than  the  federal  regulations  will  remain.  Furthermore, 
this  approach  allows  a  State,  in  the  future,  to  enact  stronger  privacy  protections  to  meet  the 
changing  needs  of  its  citizens. 

We  believe  that  the  regulations  should  provide  definitions  of  the  terminology  used  in  the 
preemption  provisions  for  general  purposes,  not  just  for  use  in  the  Secretary's  advisory  opinions. 
We  also  believe  diat  the  regulation  should  treat  state  laws  pertaining  to  disclosures  about  minors 
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the  same  as  other  state  laws  generally,  preempting  state  laws  that  are  contrary  to  the  proposed 
rule  and  less  protective  of  the  privacy  of  minors.  Lastly,  we  are  very  concerned  about  the  breadth 
of  the  provision  under  which  a  State  may  request  a  waiver  that  would  allow  a  weaker  State 
health  privacy  law  to  stand,  essentially  making  the  analogous  federal  regulation  inapplicable  in 
that  State. 


1.  DEFEVrnONS 
Recommendation: 

The  regulations  should  make  the  definitions  of  section  160.202  generally  applicable  to  section 
264  of  Pub.  L.  104-91. 

Rationale: 

Section  1 178  of  HIPAA,  Public  Law  104-191  (Aug.  21, 1996),  sets  out  general  rules  governing 
when  State  law  provisions  are  preempted  by  the  requirements  of  the  Administrative 
Simplification  provisions  of  HIPAA.  Section  264  of  HIPAA  more  specifically  addresses  when 
regulations  promulgated  by  the  Secretary  due  to  Congress's  failure  to  pass  legislation  governing 
privacy  standards  will  preempt  State  law.  In  the  preamble,  the  Secretary  recognizes  that  there  are 
a  number  of  ambiguities  m  both  section  1 178  and  264,  and  states  that  "clarifying  the  regulations 
will  generally  provide  substantially  more  guidance  to  the  regulated  entities  and  the  public  as  to 
which  requirements,  standards,  and  implementation  specifications  apply."  The  Secretjuy  tiien 
lists  five  definitional  questions  that  arise  in  considering  v^iiedier  or  not  a  State  law  is  preempted 
under  section  264.  In  light  of  this  discussion,  it  appears  that  the  definitions  of  these  terms  were 
intended  to  apply  generally  to  both  section  1 178  and  section  264. 

Section  160.201,  however,  states  only  that  the  provisions  which  contain  the  definitions  apply  to 
"detenninations  and  advisory  opinions  issued  by  the  Secretary  pursuant  to  42  U.S.C.  ISlOd-?." 
This  statement  appears  to  limit  the  applicability  of  the  definitions  to  the  Secretary's 
determinations  and  advisory  opinions,  as  opposed  to  providing  general  guidance  on  when  a  State 
law  is  preempted. 

We  suggest  that  a  new  provision  addressing  preemption  be  added  to  Subpart  E  of  the  regulations. 
The  new  regulation  should  specify  that,  for  purposes  of  determining  whether  a  State  law  is 
preempted  by  the  Secretary's  regulations  under  section  264  of  Public  Law  104-191,  tfie 
definitions  contained  in  45  C.F.R.  sec.  160.202  apply. 


2.       STATE  LAWS  RELATING  TO  MINORS 
Recommendation: 

The  regulation  should  treat  state  laws  pertaining  to  disclosures  about  minors  the  same  as  other 
state  laws  generally,  preempting  state  laws  that  are  contrary  to  the  proposed  rule  and  less 
protective  of  the  privacy  of  minors.  We  recommend  that  the  following  changes  be  made: 

1.  In  section  160.202  (the  definition  of  "more  stringent"),  delete  the  phrase  that 
begins  with  "provided,  however,"  as  shown  below: 

(2)  With  respect  to  the  rights  of  individuals  of  access  to  or 
amendment  of  individually  identifiable  health  information,  permits 
greater  rights  or  access  or  amendment,  as  applicable,  provided, 
howovor,  that  nothing  in  this  subchapter  ohall  bo  conotrued  to 
proompt  any  Stato  law  to  tho  oxtont  that  it  authorizoo  or  prohibits 
diocloGuro  of  protoctod  health  information  rogarding  a  minor  to  a 
parent,  guardian  or  peroon  acting  in  loco  parentis  of  such  mmor. 
(page  60051) 
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2.  Delete  reference  in  the  preamble  (page  59935)  to  non-preemption  and  include 
preamble  language  derived  from  the  discussion  above. 

Rationale: 

Because  we  agree  with  the  Department's  handling  of  minors  in  section  164.504,  we  disagree 
wi&  the  approach  taken  in  section  160.202  of  this  proposed  rule  with  respect  to  non-preemption 
of  state  laws  pertaining  to  minors.  The  proposed  rule  erroneously  treats  contrary  state  laws 
pertaining  to  minors  differently  from  contrary  state  laws  in  other  areas. 

Generally,  this  proposed  nile  (section  160.203)  preempts  contrary  state  laws  that  are  less 
protective  of  individual  privacy.  De^ite  this  general  rule,  the  proposed  rule  states  in  section 
160.202  (tiie  definition  of  "more  stringent")  that  laws  pertaining  to  minors  will  be  treated 
difforently.  The  proposed  rule  states: 

(2)  With  respect  to  the  rights  of  individuals  of  access  to  or  amendment  of 
individually  identifiable  health  information,  permits  greater  rights  or  access  or 
amendment,  as  applicable,  provided,  however,  that  nothing  in  this  subchapter 
shall  be  construed  to  preempt  any  State  law  to  the  extent  that  it  authorizes  or 
prohibits  disclosure  of  protected  health  information  regarding  a  minor  to  a 
parent,  guardian  or  person  acting  in  loco  parentis  of  such  minor,  (page  6005 1 , 
emphasis  added) 

This  means  that  all  State  laws  pertaining  to  disclosures  to  a  parent  would  stand  —  even  those 
contrary  to  the  policy  in  the  proposed  rule  —  whether  those  laws  are  more  or  less  protective  of 
the  minor's  privacy  than  the  proposed  mle. 

A  state  law  authorizing  or,  worse,  mandating  disclosure  of  protected  health  infonnation  about  a 
minor  to  a  parent  in  a  case  where  that  minor  has  lawfidly  obtained  health  care  services  without 
involving  the  parent  is  contrary  to  the  policy  stated  in  this  proposed  rule  and  less  protective  of  a 
minor's  privacy.  Such  a  state  law  should  be  preempted,  but  under  this  proposed  rule,  it  is  not. 

The  position  we  are  advocating  would  not  result  in  the  preemption  of  state  laws  that  establish  die 
circimistances  under  which  minors  can  access  health  care  service  on  their  own.  Thus,  for 
example,  state  laws  that  require  parental  involvement  before  a  health  care  provider  may  render  a 
•health  care  service  to  a  minor  would  not  be  preempted.  State  laws  establishing  the  circumstances 
under  which  minors  can  lawfully  obtain  care  (whether  those  laws  allow  minors  to  obtain  the  care 
without  parental  involvement  or  require  parental  involvement)  are  not  "contrary"  to  the  proposed 
rule.  Indeed,  their  continued  applicability  is  assured  by  the  proposed  rule  itself  because  the 
rule's  definition  of  "individual"  depends  upon  other  sources  of  law  (beyond  the  proposed  rule)  to 
determine  "when  a  minor  lawfully  obtains  a  health  care  service  without  the  consent  of  or 
notification  to  a  parent,  guardian,  or  other  person  acting  in  loco  parentis." 

Thus,  state  law  (and,  in  some  cases,  federal  law)  will  continue  to  determine  whether  a  minor  can 
lawfully  obtain  a  health  care  service  on  his  or  her  own.  But  when  the  minor  lawfully  can  obtain 
a  health  care  service  without  parental  involvement,  and  has  done  so,  state  law  cannot 
subsequently  permit  or  require  disclosure  to  a  parent  of  infonnation  relating  to  such  care.  Such  a 
state  law  would  be  preempted  under  the  position  we  advocate  here  because  it  would  be  contrary 
to  the  proposed  rule  and  less  protective  of  the  minor's  privacy. 

It  is  unclear  why  the  Department  decided  not  to  preempt  contrary  state  law  pertaining  to  minors. 
No  rationale  is  stated  in  the  proposed  mle.  In  addition  to  being  illogical,  such  an  approach  is 
inconsistent  with  HIPAA,  which  spells  out  limited  situations  in  which  contrary  state  laws  are  not 
preempted.  (The  exceptions  that  are  required  by  HIPAA  are  listed  in  section  160.203.) 
Accordingly,  we  urge  the  Department  to  change  this  aspect  of  the  proposed  rule  and  to  treat  state 
laws  pertaining  to  minors  the  same  as  other  state  laws  generally:  state  laws  that  are  contrary  to 
the  proposed  rule  and  less  protective  of  the  privacy  of  minors  should  be  preempted.  As  is  the 
case  generally  with  laws  diat  are  more  protective  of  privacy,  contrary  state  laws  that  are  more 
protective  of  the  privacy  of  minors  should  not  be  preempted. 
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3.       WAIVER  FOR  EXCEPTIONS  TO  PREEMFnON  OF  STATE  LAW 

We  are  v«y  concerned  with  the  Secretary's  proposed  section  160^04(a)  which  sets  forth 
requirements  for  States  to  apply  for  State  law  exceptions  to  the  general  preemption  provision  in 
section  160203.  While  we  recognize  that  HIPAA  sets  forth  the  standard  for  such  exceptions,  we 
strongly  believe  that  any  determination  by  the  Secretary  under  section  160.204(a)  be  limited  to 
cases  where  an  exception  is  absolutely  necessary.  We  believe  that  in  making  such 
determinations  the  Secretary  should  weigh  the  benefits  of  granting  an  exception  against  the 
potential  harm  and  risk  of  disclosure  in  violation  of  the  regulation.  We  also  believe  that  the 
Secretary's  three  year  limitation  poses  significant  problems  and  should  be  limited  to  one  year. 

Under  proposed  section  160.204(a)  a  State  may  apply  to  except  a  provision  of  State  law  fi^m  the 
requirements  of  the  regulations,  if  any  of  the  criteria  in  section  160.203(a)  are  met  It  is  unclear 
why  the  Secretary  limited  the  procedural  requirements  in  section  160.204(a)  to  only  those 
applications  under  section  160.203(a).  We  strongly  believe  that  the  requirements  of  section 
160.204(a)  should  also  apply  to  (b),  (c)  and  (d).  Adding  these  additional  subparts  would  provide 
clear  procedures  for  States  to  follow  and  ensure  that  requests  for  exceptions  are  adequately 
docuznoited. 

We  also  recommend  that  section  160  J04(a)  include  a  specific  requirement  that  the  Secretary 
make  a  detennination  that  the  benefits  of  an  exception  outweigh  the  potential  hann  and  the  risk 
that  protected  health  information  could  be  disclosed  in  violation  of  the  regulatioiL  Because 
individuals  do  not  have  a  private  right  of  action  under  the  regulation,  the  importance  of  such  a 
balancing  test  is  significant  We  reconmiend  the  following: 

The  Secretary's  detennination  under  this  paragraph  will  be  made  on  tiie  basis  of 
the  extent  to  which  the  information  provided  and  other  factors  demonstrate  that 
one  or  more  of  the  criteria  in  160203(a).  (h).  (c)  or  fd^  has  been  met  If  it  is 
determined  that  the  federal  standard,  requirement,  or  implementation  specification 
accomplishes  the  purposes  of  the  criterion  or  criteria  at  160203(a).  fb").  (c)  or  (d) 
as  well  as  or  better  than  the  State  law  which  the  request  is  made,  the  request  will 
be  denied.  In  making  such  a  determination,  the  Secretary  must  consider  whether 
the  benefits  of  an  exception  outweigh  the  potential  harm  and  risk  that  protected 
health  information  could  be  disclosed  in  violation  of  this  part. 

While  we  recognize  that  any  determination  by  the  Secretary  under  section  160.204(a)  will  be  the 
exc^jtion  rather  than  the  rule,  we  strongly  believe  that  a  State  should  be  required  to  explain 
whcdier  it  has  takra  any  action  to  correct  any  less  stringent  State  law  for  which  an  exception  has 
been  requested.  We  recommend  that  the  following  section  be  added  to  section  160.204(a): 

(vi)  A  state  must  specify  what  if  any,  action  has  been  taken  tn  ampn^  thf  Sfatp 
law  to  comply  with  the  federal  regulations. 

We  strongly  disagree  with  section  1 60.204(aX4)  which  sets  a  three  year  time  limit  for 
exceptions.  The  Secretary  does  not  discuss  why  this  time  limitation  was  chosen.  We  strongly 
believe  that  all  exceptions  should  be  limited  to  one  year.  While  we  recognize  that  this 
requirement  would  likely  increase  the  number  of  requests,  a  one  year  limitation  would  provide 
more  fi^uent  review  of  the  necessity  for  exceptions.  We  are  particulariy  concerned  about  those 
laws  for  which  excqjtions  are  granted  but  which  provide  less  privacy  protections  than  the  federal 
regulation.  For  these  same  reasons,  proposed  section  160.204(aXv)  should  require  that  each 
request,  regardless  of  duration,  include  a  description  of  the  length  of  time  such  an  exception  is 
necessary. 


These  comments  on  "Relationship  to  State  Laws"  have  been  oidorsed  by  the  following 
organizations: 

American  Association  of  People  with  Disabilities 
Association  of  Women's  Health,  Obstetric  and  Neonatal  Nurses 
Bazelon  Center  for  Mental  Health  Law 
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Committee  for  Children 

Consortium  for  Citizens  with  Disabilities  Privacy  Working  Group 
Families  USA 

Federation  of  Families  for  Children's  Mental  Health 

Human  Rights  Campaign 

Justice  for  All 

Legzd  Action  Center 

Myositis  Association  of  America 

National  Association  of  People  With  AIDS 

National  Organization  for  Rare  Disorders 

National  Partnership  for  Women  and  Families 

Privacy  Rights  Clearinghouse 

Women's  Law  Project 

COMPLIANCE 

Section  164322       Compliance  and  enforcement 
SUMMARY 

We  generally  support  the  proposed  regulations'  approach  towards  compliance.  Ideally, 
individuals  would  have  the  ability  to  bring  suits  in  equity  to  require  covered  entities  to  comply 
with  the  proposed  regulations.  We  recognize,  however,  that  die  Secretary  does  not  have  the 
authority  to  create  such  individual  rights.  Given  the  statutory  limitations  of  HIPAA,  we  believe 
diat  the  proposed  complaint  procedure,  while  not  ideal,  is  beneficial  in  assuring  compliance  widi 
the  privacy  standards.  We  are  concerned,  however,  about  whether  the  Department's  Office  for 
Civil  Rights,  currently  a  fairly  small  office,  is  adequately  funded  to  properly  support  the 
proposed  complaint  procedure.  We  also  suggest  changes  to  the  regulations  which  we  believe  will 
improve  the  complaint  procedure.  First,  we  believe  that  the  time  period  for  filing  a  con^ilaint 
should  commence  to  run  from  the  time  when  the  individual  knew  or  had  reason  to  know  of  the 
violation  or  omission.  Additionally,  we  believe  that  any  person  or  entity  that  has  knowledge  of 
noncompliance  by  a  covered  entity  should  be  able  to  file  complaints  with  the  Secretary  and  be 
protected  firom  retaliatory  acts. 

Recommendation : 

Section  164.522  should  be  amended  to  specifically  incorporate  a  time  limit  on  the  filing  of 
complaints  with  the  Secretary.  That  time  limit  should  run  from  the  point  when  the  individual 
knew  or  had  reason  to  know  of  the  violating  act  or  omission. 

Rationale: 

Section  164.522  sets  forth  the  procedure  by  which  an  individual  can  file  a  complaint  with  die 
Secretary  against  a  covered  entity.  In  the  preamble,  the  Secretary  indicates  that  the  proposed  time 
limit  on  filing  complaints  will  be  "within  1 80  days  of  those  acts  or  omissions."  64  Fed.  Reg. 
60002.  The  actual  text  of  section  164.522,  however,  does  not  contain  any  such  time  limit. 
Although  we  believe  that  it  is  reasonable  to  impose  a  time  limit  on  the  filing  of  such  complaints, 
we  believe  the  period  for  filing  a  complaint  should  run  from  the  time  the  individual  learns  about 
the  act  or  omission.  This  approach  is  consistent  with  the  manner  in  which  the  statute  of 
limitations  commences  to  run  for  the  purposes  of  the  Privacy  Act.  See  Tijerina  v.  Walters,  821 
F.2d  789,  797-98  (D.C.Cir.  1987)  (the  stattite  of  limitations  begins  to  run  when  the  plaintiff  knew 
or  had  reason  to  know  that  adverse  action  had  occurred);  Diliberti  v.  United  States,  817F.2d 
1259, 1262-63  (7th  Cir.  1987)  (same);  Bergman  v.  United  States,  751  F.2d  314,  316  (10th  Cir. 
1984)  (same),  cert  denied,  474  U.S.  945, 106  S.  Ct  310,  88  L.  Ed.  2d  287  (1985).  To  paraphrase 
the  reasoning  in  Tijerina,  because  possible  violations  of  the  regulations  may  not  be  immediately 
{q)parent  to  the  aggrieved  individual,  the  Secretary's  desire  to  provide  a  remedy  would  be  poorly 
served  if  the  complaint  needed  to  be  filed  before  the  individual  even  had  reason  to  know  of  the 
violation.  Tijerina  v.  Walters,  821  F.2d  at  797-798. 

Recommendation : 

Section  164.522  should  be  revised  to  permit  any  person  or  entity  to  file  complaints  whoi  they 
believe  that  a  covered  entity  is  not  complying  with  the  requirements  of  the  privacy  standards. 
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Radoaale: 

Section  1 64.522  of  the  proposed  regulations  establishes  a  procedure  for  individuals  to  file 
complaints  with  the  Secretary  when  the  individual  believes  that  a  covered  entity  is  not  complying 
with  the  privacy  standards.  As  defined  in  the  regulations,  the  term  "individual"  refers  to  the 
person  who  is  the  subject  of  the  protected  health  information.  See  section  164.504.  Thus,  under 
the  regulations  it  is  only  the  person  who  is  the  subject  of  the  protected  information  who  has  the 
right  to  file  a  complaint  with  the  Secretary.  There  will  be  times,  however,  when  another  person 
or  entity  may  be  most  familiar  with  the  compliance  (or  noncompliance)  of  a  covered  entity.  For 
instance,  a  mental  health  care  provider  may  have  first  hand  knowledge  of  a  health  plan  that 
improperly  requires  the  disclosure  of  psychotherapy  notes.  Anyone  that  has  knowledge  of 
noncompliance  by  a  covered  entity  should  have  a  formal  mechanism  for  reporting  such  problems 
to  the  Secretary. 

We  suggest  that  the  following  changes  be  made  to  section  164.522: 

(b)  Imdnidual  Complaints  to  the  Secretary.  Any  individual  or  other  person  or 
entity  who  believes  that  a  covered  entity  is  not  complying  with  the  requirements 
of  this  subpart . . . 

Recommendation : 

Section  164.522  should  also  be  amended  to  prohibit  a  covered  entity  fix>m  engaging  in 
intimidating  or  retaliatory  acts  against  an  individual  or  other  person  or  entity  that  fil^  a 
complaint  or  does  other  acts  protected  by  tfie  regulations. 

Rationaie: 

Section  164.522(dX4)  prohibits  a  covered  entity  fix>m  intimidating  or  taking  other  retaliatory 
action  against  any  individual  for  the  filing  of  a  complaint,  otherwise  assisting  or  participating  in 
an  investigation  or  opposing  any  act  or  practice  made  unlawful  by  this  subpart  Because  die  term 
"individual"  refers  only  to  the  person  who  is  the  subject  of  the  protected  health  information,  this 
provision  offers  no  protection  to  other  covered  entities  or  persons  who  may  file  complaints  with 
die  Secretary  or  otherwise  oppose  any  act  or  practice  made  unlawful  by  the  privacy  regulations. 
See  section  164.504  (defining  "individual"). 

We  believe  this  provision  also  should  prohibit  such  retaliatory  action  against  any  other  person  or 
entity  that  files  a  complaint  or  otherwise  insists  on  complying  with  the  regulations.  We  are 
concerned  about  retaliatory  actions  such  as  that  alleged  by  a  New  Jersey  psychoanalyst  who 
claims  that  he  was  ejected  fiom  a  managed-care  network  because  he  refused,  in  accordance  with 
the  New  Jersey  Peer  Review  Act,  to  provide  certain  details  of  patient  treatment  to  the  health 
plan.  See  "Insurer  Sought  Patient  Secrets;  Suit  Centers  on  Confidentiality,"  Asbury  Park  Press 
(Neptune,  NJ)  October  24, 1999  at  A- 1 .  Since  a  psychoanalyst  is  not  the  subject  of  the  protected 
health  information,  he  would  not  be  considered  to  be  an  "individual"  under  the  regulations  and 
would  not  be  protected  bom  such  retaliatory  action  by  section  164.522. 

We  suggest  the  following  changes  be  made  to  section  164.522(d): 

(4)  Refrain  frvm  intimidating  or  retaliatory  acts.  A  covered  entity  may  not 
intimidate,  threaten,  coerce,  discriminate  against,  or  take  other  r^iatory  action 
against  any  individual  or  other  person  or  entity  for  the  filing  of  a  conqilaint  under 
this  section,  for  testifying,  assisting,  participating  in  any  manner  in  an 
investigation,  compliance  review,  proceeding  or  hearing  under  this  Act,  or 
opposing  any  act  or  practice  made  unlawful  by  this  subpart 

Recommendation: 

We  recommend  that  the  Secretary  be  required  to  make  public  information  in  the  complaints,  with 
all  personal  identifiers  removed. 
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These  comments  on  "Compliance"  have  been  endorsed  by  the  following  organizations: 

American  Association  of  People  with  Disabilities 
Association  of  Womai's  Health,  Obstetric  and  Neonatal  Nurses 
Bazelon  Center  for  Mental  Health  Law 
Coimnittee  for  Children 

Consortium  for  Citizens  with  Disabilities  Privacy  Woricing  Group 
Families  USA 

Federation  of  Families  for  Children's  Mental  Health 

Human  Rights  Campaign 

Justice  for  All 

Legal  Action  Center 

Myositis  Association  of  America 

National  Association  of  People  With  ADDS 

National  Organization  for  Rare  Disorders 

National  Parmership  for  Women  and  Families 

Privacy  Rights  Clearinghouse 

Women's  Law  Project 

ENFORCEMENT 

We  recognize  that  the  Secretary  is  limited  in  addressing  enforcement  mechanisms  by  the 
delegation  of  authority  in  HIPAA.  We  wish  to  note,  however,  that  it  is  critical  that  the  Congress 
act  to  grant  people  a  private  right  of  action  to  enforce  their  rights  under  this  regulation. 
Otherwise,  the  existing  framework  of  enforcement  will  always  be  lacking,  and  we  run  the 
substantial  risk  of  having  a  right  without  a  remedy. 

We  have  submitted  specific  recommendations  on  how  to  bolster  enforcement  and  compliance 
under  "Compliance,"  "Safeguards,"  "Sanctions"  and  "Business  Partners." 


These  comments  on  "Enforcement"  have  been  endorsed  by  the  following  organizations: 

American  Association  of  People  with  Disabihties 
Association  of  Women's  Health,  Obstetric  and  Neonatal  Nurses 
Bazelon  Center  for  Mental  Health  Law 
Coimnittee  for  Children 

Consortiimi  for  Citizens  with  Disabilities  Privacy  Working  Group 
Families  USA 

Federation  of  Families  for  Children's  Mental  Health 

Human  Rights  Campaign 

Justice  for  All 

Legal  Action  Center 

Myositis  Association  of  America 

National  Association  of  People  With  AIDS 

National  Organization  for  Rare  Disorders 

National  Partnership  for  Women  and  Famihes 

Privacy  Rights  Clearinghouse 

Women's  Law  Project 
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The  Chairman.  Dr.  Horobin,  this  committee  has  been  interested 
in  tackling  the  issue  of  medical  errors  and  specifically  working  to- 
ward reducing  adverse  drug  effects.  Could  you  briefly  conmient  on 
how  the  proposed  rule  may  affect  companies'  ability  to  study  ad- 
verse drug  events? 

Dr.  Horobin.  The  one  thing  that  we  noticed  is  that  date  of  birth, 
for  example,  and  some  other  pieces  of  information  may  be  the  sub- 
ject of  de-identification.  Well,  one  of  the  things  we  absolutely  have 
to  provide  when  we  provide  information  to  the  FDA  on  adverse 
drug  events  is  exactly  date  of  birth.  And  certainly,  when  one  is  try- 
ing to  look  at  an  individual  study  and  assess  trends  or  an  individ- 
ual drug  and  assess  trends  which  would  help  us  understand  ad- 
verse drugs  effects,  information  like  that  is  very  valuable,  and  I 
think  we  would  find  it  more  difficult  to  do  our  job  appropriately 
without  some  of  that  information. 

The  Chairman.  As  you  have  noted,  the  definition  of  nonidentifi- 
able  health  information  is  very  important  in  doing  research.  Could 
you  briefly  outline  instances  in  which  a  researcher  would  need  to 
match  identifiers  to  the  anonymous  information  and  how  that  may 
typically  take  place? 

Dr.  Horobin.  The  t5rpe  of  situation  where  that  needs  to  take 
place  is  where  there  may  be  some  discrepancy  in  the  information 
that  we  have  received,  or  that  the  organization  that  is  doing  the 
clinical  research  for  us  has  received,  and  they  need  to  go  back  to 
the  individual  physician  and  check  that  information  out.  But  even 
in  that  situation,  there  is  really  no  need  to  provide  the  specific  in- 
formation about  the  patient  and  who  that  patient  is,  but  simply  to 
clarify  and  to  correlate  information  that  we  have  collected  with  in- 
formation that  exists  on  the  primary  medical  record. 

So  there  is  certainly  a  need  to  check  and  correlate,  but  there  is 
not  a  need  to  actually  provide  that  personal  information  to  the 
sponsoring  drug  company. 
The  Chairman.  Mr.  Kahn,  one  of  the  things  that  my  legislation 
'  allows  for  is  the  right  of  individuals  to  access  their  own  medical 
records.  Can  you  describe  a  typical  routing  of  a  medical  record 
when  requested  by  an  individual? 

For  instance,  would  I  have  to  contact  separate  doctors*  offices, 
hospitals,  or  health  plans  to  obtain  my  record? 

Mr.  Kahn.  Well,  currently,  it  is  the  case  that  those  records  are 
kept  in  very  different  places,  and  as  I  think  was  pointed  out  in  the 
previous  panel,  there  is  not  really,  or  there  are  very  few  cases  of 
a  true  electronic  medical  record.  We  still  have  records  that  are  kept 
in  file  drawers  in  most  doctors'  offices  or  at  hospitals,  and  although 
we  have  with  those  records  opportunities  where  they  cross  the  sys- 
tem— ^for  example,  a  lot  of  claims  are  submitted  to  insurance  com- 
panies on  paper,  and  then  the  insurance  companies  scans  it  into 
the  computer,  and  all  of  a  sudden,  it  becomes  an  electronic  record 
even  though  it  was  a  paper  claim  that  was  received  from  a  physi- 
cian. 

So  at  least  under  current  circumstances,  in  answer  to  your  ques- 
tion, a  patient  is  going  to  have  to  go  individually  back  to  all  the 
different  providers,  because  even  an  insurer  or  a  health  plan,  de- 
pending on  what  kind  of  health  plan  it  is,  will  not  necessarily  have 
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all  the  records  that  an  individual  may  have  for  their  medical  treat- 
ment. 

The  Chairman.  Has  your  organization  done  any  estimates  on 
what  it  would  cost  your  industry  to  comply  with  the  proposed  regu- 
lation? 

Mr.  Kahn.  There  have  been  some  estimates  done.  HIAA  has  not. 
Blue  Cross/Blue  Shield  Association  has  done  an  estimate,  and  they 
think  the  total  cost  of  compliance  here  for  the  health  care  system 
would  be  somewhere  in  the  $40  million  range  over  10  years  rather 
than  the  $3.8  or  $4  billion  range  that  the  Secretary  has  in  the  reg- 
ulation. 

I  think  the  Secretary  admits  in  the  regulation  that  there  are  vast 
areas  that  were  not  part  of  her  estimate,  particularly  in  this  area 
of  policing  of  business  partners  through  contracts  which  would 
have  to  be  renegotiated  and  other  kinds  of  systems  and  personnel 
that  would  have  to  be  added  to  make  sure  that  contractors  were 
living  up  to  whatever  requirement,  say,  a  covered  entity  was  living 
up  to. 

I  would  say,  if  I  had  to  guess,  that  the  cost  would  be  somewhere 
closer  to  the  Blue  Cross  estimate  than  to  the  Secretary's  estimate 
simply  by  looking  at  the  areas  the  Secretary  left  out. 

The  Chairman.  Dr.  Horobin,  do  you  have  a  comment? 

Dr.  Horobin.  No. 

The  Chairman.  OK.  Ms.  Goldman,  I  know  that  traditionally,  you 
have  advocated  for  a  Federal  floor  rather  than  a  ceiling  when  it 
comes  to  preempting  State  law.  However,  would  you  agree  that  the 
inconsistency  in  State  law  can  contribute  to  an  entity's  confusion 
as  to  the  laws  it  must  comply  with? 

Ms.  Goldman.  They  might  be  confused  initially,  but  there  is  no 
Federal  privacy  statute  right  now  in  any  other  area  that  preempts 
stronger  State  law,  so  when  the  Congress  passes  a  law,  those  enti- 
ties that  are  regulated,  whether  they  are  banks  or  telephone  com- 
panies or  credit  reporting  companies,  all  of  which  are  now  regu- 
lated under  Federal  privacy  statutes,  get  their  lawyers  together 
and  figure  out  what  is  the  law  that  now  applies.  There  are  State 
laws;  there  is  a  new  Federal  law.  What  falls  under  the  floor  as 
being  weaker,  and  what  are  the  stronger  requirements  we  have  to 
comply  with?  In  the  wiretap  law  right  now,  one-third  of  the  States 
have  stronger  privacy  requirements,  and  the  States  comply  with 
those.  So  I  think  it  is  not  unusual  that  that  would  happen. 

My  overall  point  was  that  it  will  simplify  the  work  of  the  health 
plans  and  the  providers,  the  hospitals,  because  right  now  there  is 
no  Federal  floor  under  which  those  weaker  State  laws  would  fall 
out.  So  right  now,  they  have  50  different  laws,  and  I  think  that  has 
got  to  be  more  difficult  and  more  complicated  and  more  costly  than 
having  something  that  is  uniform  and  allowing  those  specific 
stronger  laws  in  the  States  to  stand. 

The  Chairman.  The  GAO  indicated  that  many  of  the  comments 
from  various  disability  groups  stated  that  the  definitions  of  treat- 
ment, payment,  and  health  care  operations  were  too  broad;  yet  they 
did  not  include  disease  management.  Assuming  that  the  activities 
included  in  disease  management  are  important  to  people  with  dis- 
abilities, do  you  think  entities  should  have  access  to  health  infor- 
mation to  perform  those  duties? 


Ms.  GtoLDMAN.  It  is  an  important  question,  Mr.  Chairman.  I 
think  the  reason  that  our  organization  and  disability  rights  and 
consumer  groups  are  concerned  about  the  definition  of  treatment, 
payment,  and  health  care  operations  is  because  in  the  proposal, 
there  is  an  exception  to  authorization  for  using  information  for 
those  purposes;  there  is  no  authorization  required.  So  our  groups 
are  very  concerned  that  it  be  a  very  narrow  definition  that  directly 
ties  the  uses  of  the  information  to  the  treatment  and  payment  of 
that  individual's  care. 

That  is  our  concern.  Now,  there  is  no  set  definition  of  disease 
management,  as  I  have  heard  it.  If  we  polled  the  people  in  this 
room,  I  think  we  would  hear  50  different  definitions  of  disease 
management.  If  the  information  is  being  used  in  a  way  to  directly 
benefit  the  individual,  if  it  is  part  of  their  treatment,  their  pay- 
ment, their  health  care  operations,  I  think  it  should  fit  within  that 
first  tier— although,  again,  we  do  advocate  for  there  being  author- 
ization for  that. 

The  Chairman.  I  want  to  thank  you  all.  We  have  gone  a  little 
bit  over  our  intended  time,  but  this  has  been  extremely  helpful.  We 
will  reserve  the  right  to  keep  bugjging  you,  so  do  not  relax;  I  am 
sure  we  will  have  some  more  questions  for  you  as  we  go  on. 

It  has  been  a  pleasure  to  be  with  you  all  today.  Thank  you  very 
much. 

[Additional  statements  and  material  supplied  for  the  record  fol- 
lows:] 

Statement  of  Gary  D.  Rippentrop 

Dear  Mr.  Chairman  and  Members  of  the  Committee:  I  am  pleased  to  submit  the 
following  written  testimony  on  behalf  of  the  American  Collectors  Association,  Inc. 
(AC A)  for  inclusion  in  the  record. 

ACA  is  an  international  trade  association  representing  4,400  credit  and  debt  col- 
lection professionals  who  provide  a  variety  of  accounts  receivable  management  serv- 
ices. Headquartered  in  MinneapoHs,  ACA  serves  members  in  the  United  States, 
Canada  and  55  other  countries.  ACA  members  include  third-party  collection  agen- 
cies, credit  grantors,  attorneys  and  vendor  affiliates.  (For  more  information,  please 
visit  ACA's  Web  site  at  http://www.collector.com.) 

ACA  member  agencies  are  dedicated  to  the  services  they  provide  to  their 
healthcare  provider  clients.  As  such,  we  want  to  ensure  that  our  members' 
healthcare  provider  cHents — as  well  as  the  consumers  they  serve — are  satisfied 
knowing  that  ACA  member  agencies  comply  with  all  applicable  federal  and  state 
laws  and  regulations  regarding  debt  collection,  as  well  as  the  ethical  standards  and 
guidelines  established  by  the  association.  With  this  objective  and  commitment,  ACA 
worked  with  Congress  to  establish  the  federal  Fair  Debt  Collection  Practices  Act 
(FDCPA),  15  U.S.C.  1692  et  seq.  (1999)  in  1977,  and  it  is  in  this  same  context  that 
ACA  provides  this  testimony. 

It  should  be  further  noted  that  ACA  members  hold  privacy  as  a  priority  and  have 
continually  worked  with  healthcare  providers,  the  Federal  Trade  Commission  (FTC) 
and  others  in  our  industry  to  ensure  consumer  privacy  and  data  security  while 
meeting  the  association's  objective  to  obtain  payment  due  to  healthcare  providers  for 
services  rendered. 

Debt  collection  specialists  perform  an  invaluable  service  to  the  economy,  particu- 
larly to  the  healthcare  sector,  as  medical  collections  rank  as  the  largest  debt  market 
for  the  collection  industry.  The  hospital  industry  showed  gross  revenues  of  $610  bil- 
lion in  1998,  according  to  a  December  1999  report  by  the  American  Hospital  Asso- 
ciation. Several  industry  studies  have  estimated  that  bad  debt  averaged  4.5  percent 
of  hospitals'  gross  revenues  in  1998 — ^meaning  that  hospitals  wrote  off  $28  billion 
of  revenue  to  bad  debt  that  year.  According  to  the  Hospital  Accounts  Receivable 
Analysis,  the  average  bad  debt  write-off  per  hospital  was  nearly  $24  million  in  1998. 
(For  more  information,  see  the  HARA  Report  by  Aspen  Publishers,  Gaithersburg, 
MD.) 
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The  impact  of  debt  collection  on  the  economics  of  the  healthcare  industry  is  easily 
extrapolated  from  these  figures.  Without  the  services  of  debt  collectors,  the 
healthcare  industry  would  lose  billions  of  dollars  to  bad  debt  each  year.  Therefore, 
increasingly  restrictive  privacy  regulations  could  adversely  affect  the  collection  in- 
dustry, to  the  point  at  which  collection  agencies  would  no  longer  be  able  to  accept 
healthcare  business,  or  healthcare  providers  would  effectively  be  prevented  from 
placing  their  accounts  with  collection  agencies.  If  either  of  these  occurs,  the  revenue 
potentially  retrieved  by  the  agencies  would  be  lost  and  would  have  to  be  passed  on 
to  consumers  in  the  form  of  higher  prices. 

THE  ROLE  OF  COLLECTION  AGENCIES 

ACA  member  collection  agencies  work  with  all  provider  segments  of  the 
healthcare  industry.  Member  agencies  range  from  small,  family-run  businesses  to 
large  organizations  that  collect  or  operate  in  all  50  states,  as  well  as  in  other  coun- 
tries. Our  members'  chents  are  equally  diverse,  including  individual  healthcare  pro- 
fessionals, small  group  practices  and  offices,  clinics,  hospitals,  home  health  agencies, 
healthcare  systems  and  more. 

Given  all  of  these  different  factors,  the  transactions  that  occur  between  ACA 
members  and  their  clients,  as  well  as  patients  and  parties  responsible  for  the  debts, 
vary  greatly  in  form,  content  and  scope  of  information.  ACA  members  use  paper  and 
electronic  transactions,  most  of  which  are  not  standardized  nor  covered  under  the 
10  transactions  identified  by  the  Health  Insurance  Portability  and  Accountability 
Act  of  1996  (HIPAA).  Association  members  use  letters,  phone  calls  and  sometimes 
in-person  contacts  to  collect  on  legitimate  consimier  debts.  In  short,  collection  agen- 
cy work  is  not  standardized.  While  agencies  work  with  a  basic  set  of  data,  the  infor- 
mation they  receive  varies  with  their  healthcare  provider  cUents  and  their  clients' 
patients.  Despite  these  variances,  ACA  members  strive  to  be  coiirteous,  efficient  and 
effective,  recognizing  that  the  longer  it  takes  them  to  do  their  jobs,  the  less  likely 
it  is  that  their  clients'  receivables  will  be  returned  as  revenue — the  cash  that  keeps 
the  healthcare  system  in  business. 

For  example,  if  a  hospital  operates  with  a  profit  margin  of  2  percent,  and  if  one- 
half  of  1  percent  of  its  gross  revenues  ends  up  in  past-due  accounts,  which  have  to 
be  referred  to  a  professional  collection  service,  then  25  percent  of  the  hospital's  prof- 
it will  be  lost  unless  a  collection  specialist  can  make  some  recovery. 

A  few  ACA  member  collection  agencies  deal  exclusively  with  one  provider  client, 
while  some  deal  with  hundreds  of  medical  providers.  A  number  of  other  member 
agencies  service  not  only  healthcare  provider  clients,  but  also  credit  grantor  cUents 
from  other  industries.  Our  members'  relationships  have  been  defined  by  these  dif- 
ferences and  are  governed  by  contracts,  state  laws  and  the  FDCPA. 

ACA  members  are  well  aware  that  their  clients'  patients  do  not  expect  their  pri- 
vate health  information  to  be  treated  carelessly.  ACA  members  reaUze  the  privacy 
of  personal  information  is  a  serious  issue,  and  they  treat  it  as  such. 

AN  OVERVIEW  OF  THE  MARKET 

Consumer  and  commercial  debts  are  incredibly  costly  to  the  American  economy. 
According  to  the  Federal  Reserve  Board  of  Governors,  total  outstanding  consimier 
credit  is  more  than  $1.3  trillion. 

In  reahty,  there  is  no  such  thing  as  an  unpaid  bill.  According  to  the  Federal  Re- 
serve Board  and  the  U.S.  Census  Bureau,  unpaid  consumer  debt  costs  every  U.S. 
adult  $683  each  year.  This  translates  into  a  cost  for  the  average  non-supervisory 
worker  of  nearly  54  hours  in  lost  salary  (before  taxes)  each  year  to  pay  for  the  bad 
debt  of  other  consumers.  Other  consequences  of  unpaid  debts  include  business  fail- 
ures, reductions  in  the  work  force  and  increased  litigation. 

The  collection  of  past  due  accounts  by  collection  agencies  in  1998  resulted  in  the 
net  return  of  more  than  $31.8  bilUon  to  credit  grantors — a  significant  inftision  of 
money  into  the  economy.  Moreover,  the  economic  benefits  flowing  fi-om  collection 
services  accrue  to  both  credit  grantors  and  consumers,  by  controlling  rising  prices 
associated  with  bad  debt  and  by  providing  credit  options  to  consumers. 

HEALTHCARE  COLLECTIONS 

Patients  contribute  to  the  net  revenue  of  the  healthcare  industry  through  insur- 
ance co-pays  and  deductibles.  Individuals  without  insurance  coverage  also  contrib- 
ute to  the  healthcare  industry's  receivables  by  paying  for  their  healthcare  expenses 
out-of-pocket.  These  types  of  payment,  commonly  referred  to  as  patient  pay,  com- 
prise nearly  20  percent  of  U.S.  hospitals'  total  outstanding  accounts  receivable.  More 
than  30  percent  of  all  patient  pay  is  written  off  to  bad  debt,  according  to  a  recent 
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study  by  the  healthcare  consulting  firm  of  Zimmerman  &  Associates,  Hales  Comers, 
Wis.  (httpy/www.zimm-assoc.com). 

It  is  to  recover  this  outstanding  patient  pay  portion  of  receivables  that  hospitals 
and  other  healthcare  providers  enlist  the  services  of  a  collection  agency.  The  market 
for  outsourcing  healthcare  accounts  (active  and  past-due)  has  grown  from  $31  biUion 
in  1991  to  more  than  $100  billion  in  1998.  Outsourcing  is  the  strategic  use  of  out- 
side resources  to  perform  activities  traditionally  handled  bv  internal  staff  and  re- 
sources. Providers  outsource  receivables  to  third  parties  that  provide  patient  ac- 
counting services  and  systems  with  billing  productions,  biUing  submissions,  and  fol- 
low-up procedures  on  active  and  bad  debt  receivables.  In  the  area  of  healthcare  bad 
debt,  providers  outsource  past-due  patient  accounts  to  collection  agencies  for  profes- 
sional follow-up  and  retrieval  of  the  past-due  revenue. 

The  potential  annual  loss  of  billions  of  dollars  in  revenue  for  U.S.  healthcare  pro- 
viders coxild  drive  up  the  basic  costs  of  these  services.  Higher  costs  may,  in  turn, 
drive  up  the  percentage  of  healthcare  revenue  that  is  generated  fi'om  patients'  co- 
pays,  deductibles  and  so  forth.  Higher  levels  of  patient  pay  could  translate  into 
nigher  amounts  of  bad  debt  for  healthcare  providers,  leading  to  an  increasing  spiral 
of  lost  revenue  for  the  healthcare  industry. 

COMPLYING  WITH  STATE  AND  FEDERAL  LAWS  AND  REGULATIONS 

ACA  members,  as  with  all  collection  agencies,  are  already  required  to  comply  with 
comprehensive  federal  and  state  collection  laws  designed  to  give  consumers  impor- 
tant safeguards,  including  privacy  protections. 

On  the  federal  level,  the  Fair  Debt  Collection  Practices  Act  (FDCPA)  was  enacted 
in  1977  to  estabhsh  consistent  standards  for  fair  treatment  of  consumers.  In  addi- 
tion to  prohibiting  harassment  and  abuse  by  collectors,  the  law  also  delineates  prop- 
er procedures  for  obtaining  debtor  location  information,  communicating  with  con- 
sumers, and  disclosing  that  consumers  have  the  right  to  dispute  the  validity  of  the 
debt. 

ExpUcit  in  this  legislation  is  a  concern  for  debtor  privacy.  Specifically,  the  FDCPA 
includes  provisions  that  not  only  regulate  the  communication  between  debt  collec- 
tors and  consumers,  but  also  regulate  communication  between  debt  collectors  and 
third  parties.  Only  in  very  limited  situations  may  a  debt  collector  communicate  with 
anyone  other  than  the  consumer,  as  defined  by  the  statute. 

Defining  Communication  with  Debtors 

To  appreciate  the  breadth  of  the  consumer  privacy  protections  built  into  the 
FDCPA,  it  is  necessary  to  have  a  firm  understanding  of  the  term  "communication." 
The  Act  broadly  defines  communication  as  "the  conveying  of  information  regarding 
a  debt  directly  or  indirectly  to  any  person  through  any  medium,"  (15  U.S.C. 
§1692a(2)).  This  includes  information  about  the  debtor's  account  balance,  the  xmder- 
lying  documentation  evidencing  the  debt,  related  medical  records,  financing  docu- 
ments, patient  intake  forms,  hospital  records,  insurance  information  and,  of  course, 
the  consimier's  payment  history. 

To  soUdify  consimier  privacy  and  related  protections  under  the  FDCPA,  Congress 
further  expanded  what  might  otherwise  be  considered  the  traditional  definition  of 
a  debt  collector.  15  U.S.C.  §1692a(6)  defines  "debt  collector"  as,  any  person  who  uses 
any  instrumentality  of  interstate  commerce  or  the  mails  in  any  business  the  prin- 
cipal purpose  of  which  is  the  collection  of  any  debts,  or  who  regularly  collects  or  at- 
tempts to  collect,  directly  or  indirectly  debts  owed  or  due  or  asserted  to  be  owed  or 
due  another. 

In  some  instances,  creditors — including  medical  healthcare  providers — are  subject 
to  the  FDCPA.  For  example,  a  creditor  may  be  covered  under  the  Act  if  communica- 
tions with  consumers  suggest  that  an  independent  third  party  is  involved  in  the  col- 
lection of  a  debt  (such  as  a  third  party  billing  company  or  an  afiiliated  collection 
service  operating  under  a  name  that  is  different  from  that  of  the  creditor).  In  addi- 
tion, any  person  who  purchases  bad  debt  and  who  attempts  to  collect  debt  also  is 
subject  to  the  FDCPA  if  the  principal  purpose  of  his/her  business  involves  third 
party  collection  activity. 

Restricting  Collectors'  Communications  with  Debtors 

With  these  definitional  protections  in  mind,  it  becomes  easier  to  understand  why 
additional  privacy  restrictions  would  create  a  statutory  redundancy  in  the  law.  Sev- 
eral sections  of  the  FDCPA  restrict  communications  by  debt  collectors  in  connection 
with  the  collection  of  a  debt.  Each  of  these  restrictions  includes  the  unauthorized 
disclosure  of  any  underlying  medical  records  pertaining  to  a  debt  incurred  for  medi- 
cal purposes. 

Section  805(b)  of  the  Act  states: 
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[WJithout  the  prior  consent  of  the  consumer  given  directly  to  the  debt  collector, 
or  the  express  permission  of  a  court  of  competent  jurisdiction,  or  as  reasonably  nec- 
essary to  effectuate  a  postjudgment  judicial  remedy,  a  debt  collector  may  not  com- 
municate in  connection  with  the  collection  of  any  debt,  with  any  person  other  than 
the  consumer,  his  attorney,  a  consumer  reporting  agency  if  otherwise  permitted  by 
law,  the  creditor,  the  attorney  of  the  creditor,  or  the  attorney  of  the  debt  collector. 
(15  U.S.C.  1692c(b)) 

This  section  mandates  that  the  debt  collector  obtain  the  consumer's  consent  before 
engaging  in  any  communications  about  the  debt  with  anyone  other  than  the  few 
persons  Usted  in  this  section.  It  also  should  be  noted  that  such  consent  must  be 
given  directly  to  the  debt  collector.  This  requirement  for  direct  authorization  en- 
sures that  consimiers  control  who  receives  information  about  their  debts  and  pre- 
cisely what  information  may  be  shared  with  third  parties  about  their  obligations  to 
pay  the  debts. 

Debt  collection  is  actually  a  two-step  process.  First,  within  five  days  of  an  initial 
communication  with  the  consumer,  a  debt  collector  must  provide  the  consumer  with 
a  validation  notice  (15  U.S.C.  §1692g).  The  purpose  of  this  notice  is  to  provide  the 
consumer  with  written  documentation  of  the  debt,  the  amount  due,  ana  the  name 
of  the  creditor  to  whom  the  debt  is  owed.  The  notice  also  must  include  a  disclosure 
of  the  consumer's  right  to  dispute  the  debt,  his/her  right  to  inform  the  debt  collector 
that  the  collector  has  misidentified  the  consumer  as  the  party  responsible  for  the 
debt  and  the  consumer's  right  to  demand  that  the  debt  collector  verify  the  debt. 

The  second  step  in  the  collection  process  requires  the  debt  collector  to  actually 
verify  the  account  information  by  providing  the  consxuner  with  the  requested  docu- 
mentation thereof  before  resuming  any  coUection  activity  on  the  account.  There  is 
only  one  way  for  debt  collectors  to  comply  with  this  requirement  of  the  FDCPA, 
commonly  referred  to  as  verification.  Therefore,  by  law,  debt  collectors  must  contact 
the  original  creditor,  in  this  case,  the  medical  care  provider,  and  obtain  a  descrip- 
tion of  the  services  rendered  and  by  whom,  the  cost  of  the  services,  the  application 
of  any  insurance  or  workers'  compensation  payments,  and  other  relevant  informa- 
tion that  will  help  the  consumer  understand  their  payment  obligation.  Upon  the 
debt  collector's  receipt  of  this  information  from  the  creditor,  the.  collector  must  in 
turn  provide  the  consumer  with  such  documentation  in  the  form  of  an  account  ver- 
ification letter. 

Unauthorized  Third  Party  Disclosure 

Within  the  collection  industry.  Section  805(b)  of  the  FDCPA  is  commonly  referred 
to  as  the  unauthorized  third  party  disclosure  section.  It  controls  the  vast  majority 
of  a  debt  collector's  communications  regarding  consumer  debts  and  assures  consum- 
ers that  information  about  their  debts,  as  well  as  all  supporting  documentation,  will 
remain  private.  As  a  result  of  this  section  of  the  Act,  it  has  long  been  estabhshed 
that  a  collector  may  only  discuss  or  imply  the  existence  of  a  debt  to:  a  consumer, 
the  consxmier's  spouse,  the  consumer's  attorney,  a  consxmier-reporting  agency  if  oth- 
erwise permitted  by  law,  the  creditor,  the  attorney  of  the  creditor  or  the  attorney 
of  the  debt  collector. 

The  Federal  Trade  Commission  (FTC),  the  federal  agency  primarily  charged  with 
the  enforcement  of  the  FDCPA,  has  held  in  its  Official  Commentary  on  Fair  Debt 
Collection  Practices  that  a  collection  agency  may  not  send  a  written  message  that 
is  accessible  to  third  parties.  In  addition,  a  collection  agency  may  contact  only  the 
parties  specified  under  Section  805(b)  of  the  Act.  A  collection  agency,  for  example, 
could  not  contact  a  bank  about  a  dishonored  check  (without  the  consumer's  permis- 
sion) or  provide  a  report  on  a  consimier  to  a  non-profit  counseling  service.  53  Fed. 
Reg.  50097-50110  (Dec.  13,  1988).  A  collection  agency  cannot  fax  debtor  information 
to  a  consumer  at  his/her  place  of  employment,  due  to  the  likelihood  that  parties 
other  than  the  consumer  may  view  the  faxed  document.  A  collection  agency  cannot 
leave  a  message  on  a  consimier's  answering  machine  that  would  reveal  the  fact  that 
a  collection  agency  had  called  the  home.  In  addition,  a  collection  agency  that  has 
a  name  suggesting  the  nature  of  its  business  must  block  its  phone  calls  to  prevent 
inadvertent  disclosure  of  its  identity  on  a  consumer's  Caller  ID  box. 

Fortunately,  FDCPA  compliance  by  collection  agencies  has  been  extremely  high. 
Collection  agencies  have  established  systems  and  practices  that  virtually  guarantee 
data  privacy  and  full  compliance  under  the  law.  To  date,  there  has  been  very  limited 
litigation  involving  this  section  of  the  FDCPA.  But  when  a  violation  is  alleged, 
courts  have  narrowly  interpreted  the  statute  to  afford  consumers  with  the  greatest 
protection  possible.  One  such  example  is  the  case  of  Masuda  v.  Thomas  Richards 
and  Company,  759  F.  Supp.  1456  (CD.  CaUf  1991),  in  which  the  court  held  that 
a  collection  agency  violated  the  Act  by  communicating  with  a  consiuner's  insurance 
company  about  alleged  debts  without  the  consimier's  permission. 
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Three  additional  sections  of  the  FDCPA  further  restrict  or  prohibit  the  unauthor- 
ized sharing  of  information  about  a  consumer  debt  in  the  interest  of  protecting  the 
consumer's  privacy: 

15  U.S.C.  §  1692b  controlling  a  debt  collector's  communications  about  a  consximer's 
debt  when  acq\iiring  location  information  about  the  consumer; 

15  U.S.C.  §1692c(a)  controlling  a  debt  collector's  communications  about  a  consum- 
er's debt  when  engaging  in  direct  communication  with  a  consumer;  and 

15  U.S.C.  §1692(c)  controlling  a  debt  collector's  communications  about  a  consum- 
er's debt  when  communicating  with  a  consumer  following  the  debt  collector's  receipt 
of  a  cease  commiinication  notice  from  the  consumer. 

Prohibiting  Information  Obtained  Under  False  Pretenses 

To  solidify  Congress'  mandate  that  debt  collectors  do  not  obtain  information  con- 
cerning a  consumer  under  false  pretenses,  Congress  included  a  broad  and  far-reach- 
ing prohibition  against  deceptive  and  abusive  debt  collection  practices  in  Section 
807(10)  of  the  FDCPA.  15  U.S.C.  1692e(10)  provides  that,  "The  use  of  any  false  rep- 
resentation or  deceptive  means  to  collect  or  attempt  to  collect  any  debt  or  to  obtain 
information  concerning  a  consumer,"  is  a  violation  of  the  Act. 

This  section  of  the  FDCPA,  in  combination  with  the  sections  discussed  above, 
assures  consumers  the  greatest  privacy  under  the  law.  Therefore,  debt  collectors 
should  be  excluded  from  increasingly  restrictive  privacy,  as  tiiey  wiU  unquestionably 
create  substantive  conflict  of  law  issues,  federal  questions  of  preemption,  and  con- 
stitutional ambiguities  that  coiild  undermine  the  force  and  effect  of  the  existing  con- 
sumer privacy  protections  in  the  FDCPA. 

Penalties  for  Noncompliance 

The  penalty  for  noncompHance  with  the  FDCPA  is  severe.  The  Act  is  a  strict  li- 
abihty  statute  enforced  by  the  FTC,  state  offices  of  attorneys  general  and,  of  course, 
private  litigants.  With  the  exception  of  the  bona  fide  error  defense,  a  debt  collector 
who  is  foimd  to  have  violated  any  one  of  these  sections  of  the  FDCPA,  [sjhall  be 
Hable  to  the  plaintifJ/consumer  in  an  amount  equal  to  the  sum  of  any  actual  dam- 
ages sustained  by  such  person  as  a  result  of  such  failure,  and  in  the  case  of  any 
individual,  such  additional  damages  as  the  court  may  allow  but  not  exceeding 
$1000.  (15  U.S.C.  1692K(a)(2){A)). 

In  the  case  of  a  class  action  lawsuit,  the  debt  collector  is  exposed  to  an  even  great- 
er Uabihty.  In  this  instance,  a  debt  collector  who  is  found  to  have  violated  any  one 
of  these  sections,  [s]hall  be  liable  in  an  amount  equal  to  the  sum  of  such  amount 
for  each  named  plaintiff  as  could  be  recovered  for  an  individual  action  and  such 
amount  as  the  court  may  allow  for  all  other  class  members,  without  regard  to  a  min- 
imum individual  recovery  not  to  exceed  the  lesser  $500,000  or  1  per  centum  of  the 
net  worth  of  the  debt  collector  together  with  the  costs  of  the  action,  and  a  reason- 
able attorney's  fee  as  determined  by  the  court.  (15  U.S.C.  1692K(a)(2)(B)). 

Additional  Consumer  Privacy  Laws 

In  addition  to  the  FDCPA,  several  other  federal  laws  restrict  debt  collection.  For 
example,  42  U.S.C.  §290dd-2  restricts  the  information  that  may  be  released  regard- 
ing any  individual  receiving  treatment  for  mental  health  or  substance  abuse  prob- 
lems. Collection  agencies  that  report  information  to  credit  reporting  agencies  are 
also  governed  by  the  Fair  Credit  Reporting  Act  (FCRA).  This  law  limits  the  medical 
information  that  may  be  disclosed  to  a  third  party.  According  to  an  Informal  FTC 
Staff  Letter  of  Oct.  4,  1985,  "Section  609  of  the  Fair  Credit  Reporting  Act  (FCRA) 
entitles  consumers  (upon  request  and  proper  identification,  and  comphance  with 
conditions  set  out  in  Sections  610  and  612)  to  obtain  disclosure  of  the  nature  and 
substance  of  all  information  except  medical  information  in  the  files  pertaining  to 
those  consumers."  In  explaining  the  exception  for  medical  information,  the  House 
of  Representatives'  Conference  Report  states,  "The  rationale  was  that  raw  medical 
information  should  only  be  tendered  with  the  counsel  of  a  physician  or  other  medi- 
cally trained  personnel." 

In  addition  to  the  federal  restrictions  on  consumer  privacy  in  the  debt  collection 
context,  49  states  have  their  own  medical  privacy  laws,  while  38  states  and  the  Dis- 
trict of  Columbia  have  enacted  debt  collection  laws  and  regulations.  For  example, 
California  law  mandates  that  "[No  person]  shall  acquire  medical  information  regard- 
ing a  patient  without  first  obtaining  [written]  authorization  from  that  party,"  nor 
may  a  user  of  medical  information  further  disclose  it  unless  specific  information  is 
included  on  the  patient's  authorization  form.  By  law,  the  authorization  must  be  in 
at  least  8-point  type,  clearly  separate  from  other  language  on  the  authorization 
form,  and  signed  by  a  patient  or  relative.  It  must  state  the  types  of  medical  informa- 
tion authorized  for  disclosure,  who  may  disclose  and  who  may  acquire  the  informa- 
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tion,  and  the  purposes  of  the  disclosure.  The  authorization  must  also  include  an  ex- 
piration date  (Cal.Civ.Code  §56.20  (West  1982)). 

Colorado  law  provides  that,  "Any  person  who,  without  proper  authorization,  know- 
ingly obtains  a  medical  record  or  medical  information  with  the  intent  to  appropriate 
[it]  to  his  own  use  or  the  use  of  another,  who  steals  or  discloses  to  an  unauthorized 
person  a  medical  record  or  medical  information,  or  who,  without  authority,  makes 
or  causes  to  be  made  a  copy  of  a  medical  record  or  medical  information  commits 
theft,"  (Colo.Rev.Stat.Ann  §18-4-412  (West  1999)). 

In  simimary,  additional  restrictive  privacy  laws  or  regulations  pertaining  to  the 
collection  industry  would  effectively  terminate  the  collection  of  medical  receivables. 
In  order  to  prevent  this,  potential  privacy  regulations  must  be  modified  to  provide 
for  the  rights  of  a  medical  provider  to  retain  the  services  of  debt  collectors,  to  pro- 
vide debt  collectors  with  the  information  necessary  to  collect  the  receivables  in  full 
compliance  with  the  FDCPA  and  related  laws,  and  to  do  so  without  fear  of  non- 
compliance with  any  newly-adopted  privacy  regulations  or  laws. 

MEDICAL  PRIVACY  REGULATIONS: 

The  effect  on  daily  operations  and  business  practices  of  the  collection  industry 

As  you  know,  the  U.S.  Department  of  Health  and  Human  Services  (HHS)  recently 
proposed  a  rule  to  establish  "Standards  for  Privacy  of  Individually  Identifiable 
Health  Information"  (Nov.  3,  1999  Federal  Register,  Vol.  64,  No.  212).  The  proposal, 
which  has  reportedly  elicited  commentaries  fi*om  66,000  individuals  and  businesses, 
would  have  a  disastrous  effect  on  the  ability  of  hospitals  to  collect  amounts  owed 
for  the  services  they  provide  to  local  communities.  In  fact,  ACA  befieves  that  the 
proposed  rule  will  significantly  affect  our  members  in  every  service  they  provide  to 
the  healthcare  industry. 

ACA  submitted  comments  to  HHS  on  Feb.  17,  outlining  the  information  safe- 
guards collectors  already  follow  and  ejroounding  on  several  of  the  rule's  provisions 
that  we  expect  will  adversely  affect  the  industry.  (To  access  ACA's  official  com- 
mentary, please  go  to  http://www.collector.com,  click  on  "Legislative"  and  then  click 
on  "HHS  Commentary.") 

According  to  the  proposed  rule,  third  party  collectors  will  become  "business  part- 
ners" with  their  healthcare  provider  clients,  and,  as  such,  must  meet  specific  re- 
quirements under  the  rule.  Many  collection  agencies  would  have  to  alter  their  poU- 
cies  and  procedures  to  accommodate  these  regulations,  even  though  the  agencies  are 
already  in  fiill  compliance  with  the  FDCPA.  This  dupUcative  regulatory  scheme 
would  add  additional  costs  to  the  healthcare  system  at  the  very  time  government 
leaders  are  seeking  to  minimize  costs  to  the  consumer.  Specifically,  the  proposed  se- 
curity regulations  would  add  additional  compliance  costs,  even  though  collection 
agencies  are  very  secure  in  terms  of  handling  individuals'  confidential  information. 
As  the  rule  is  currently  written,  ACA  member  agencies  would  likely  face  multiple 
contracts — each  with  potentially  different  requirements  and  varying  flows  of  infor- 
mation. Such  a  situation  would,  in  turn,  require  the  agency  to  either  spend  consider- 
able amounts  of  money  on  compliance  (which  would  then  raise  the  cost  of 
healthcare),  or  require  the  agency  to  stop  serving  the  healthcare  industry  alto- 
gether. 

In  addition,  ACA  is  very  concerned  that  third  party  collectors  would  be  held  liable 
for  violations  if  one  of  their  healthcare  provider  clients  violates  the  regulations.  If 
this  is  an  accurate  interpretation,  it  should  be  noted  that  ACA  members  do  not 
want  to  find  themselves  in  this  situation.  In  instances  of  such  violations,  the  rule 
suggests  that  business  partners  should  reject  their  clients'  business.  However,  espe- 
cially in  smaller  communities,  this  could  cause  severe  economic  hardship  for 
healthcare  providers  and  the  debt  collection  agencies  that  they  rely  on  to  collect  on 
accounts  receivable.  This  is  a  very  "gray^'  area  that  needs  to  be  better  defined. 

Another  issue  of  concern  for  ACA  is  that  member  agencies  are  already  working 
under  a  myriad  of  state  and  federal  laws  that  apply  to  collection  practices  and  pri- 
vacy. It  must  be  recognized  that  collection  agencies  and  their  healthcare  provider 
clients,  spanning  multiple  states,  are  not  served  in  the  spirit  of  administrative  sim- 
plification when  requirements  for  performing  the  same  business  tasks  vary  from  re- 
gion to  region.  These  variances  in  rules  and  standards  among  federal  and  state  gov- 
ernmental entities  do  not  promote  privacy.  Instead,  they  provide  more  chances  for 
agencies  to  run  afoul  of  unique  requirements  that  may  only  exist  in  a  few  locations. 
If  the  desired  goal  is  to  improve  privacy  and  lower  the  administrative  costs  of 
healthcare,  the  federal  government  should  work  with  states  to  create  uniform  regu- 
lations and  procedures. 

Overall,  many  in  the  collection  industry  fear  that  the  HHS  regulations  will  result 
in  greater  reluctance  of  covered  entities  to  share  information  witii  business  partners 
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that  may  be  crucial  to  the  success  of  agencies'  collection  activities  for  their 
healthcare  provider  clients.  Currently,  most  collection  agencies  are  already  receiving 
a  minimum  amount  of  necessary  information  needed  to  collect  such  accounts  for 
their  healthcare  provider  clients.  Since  the  healthcare  industry  has  some  standard 
formats  for  billing,  these  often  serve  as  the  basis  for  the  information  that  is  trans- 
ferred to  the  agency. 

It  may  become  necessary  for  additional  information  concerning  the  individual  to 
be  obtained  from  the  provider/client  in  the  coiirse  of  the  third-party  collection  proc- 
ess. This  is  on  an  individual  basis  only,  however,  and  generaUy  is  performed  only 
after  the  provider  and  the  agency  discuss  the  need  for  such  information.  Therefore, 
if  a  minimal  amount  of  data  is  not  shared  by  the  cUenf  provider,  ACA  member  agen- 
cies will  have  greater  difRciilties  collecting  their  accounts,  causing  diminished  cash 
flow  to  healthcare  providers. 

SUMMARY 

It  appears  to  us  that  the  Department  of  Health  and  Human  Services  has  mis- 
understood how  the  collection  process  assists  hospitals  and  other  healthcare  provid- 
ers maintain  a  viable  healthcare  system  in  the  United  States.  In  light  of  the  com- 
ments we  submitted  to  the  HHS,  and  the  topics  covered  in  this  testimony,  ACA  re- 
spectfully requests  that  the  Senate  Committee  on  Health,  Education,  Labor  &  Pen- 
sions recognize  that  any  additional  privacy  restrictions  placed  on  collection  agencies 
will  result  in  additional  costs  to  the  healthcare  industry — costs  that  will  be  borne 
by  consumers,  as  well  as  third  parties.  Accordingly,  we  urge  the  Committee  to  look 
into  the  effects  of  the  HHS  rule,  which,  if  adopted,  would  nave  a  disastrous  impact 
on  the  viability  of  many  healthcare  providers. 

ACA  stands  ready  to  work  with  Committee  members  and  staff  to  advance  efforts 
to  improve  privacy  and  lower  administrative  costs  of  healthcare.  If  you  have  any 
questions  or  concerns  regarding  the  above  comments,  or  the  activities  of  ACA  mem- 
bers, please  contact  me. 

Thank  you,  Mr.  Chairman,  and  members  of  the  Committee,  for  considering  ACA's 
views  on  this  issue. 

Statement  of  the  National  Coalition  for  Patient  Rights 

Thank  you  for  the  opportunity  to  submit  comments  for  your  consideration.  The 
National  CoaUtion  of  Patient  Rights  (National  CPR),  founded  in  1994  in  response 
to  the  increased  erosion  of  patient  confidentiaHty  and  privacy,  is  a  non-profit  advo- 
cacy and  education  organization  dedicated  to  restoring  confidentiality  to  the  cUni- 
cian-patient  relationship. 

National  CPR  is  pleased  that  DHHS  has  identified  medical-records  confidentiality 
as  a  national  priority  and  that  privacy  is  critical  to  the  maintenance  of  quahty 
health  care.  In  addition,  we  commend  HHS  for  estabUshing  a  floor,  not  a  ceihng, 
of  medical  privacy  and  for  expHcitly  recognizing  Jaffee  v.  Redmond  and  the  con- 
fidentiality requirement  for  effective  psychotherapy.  We  would  hope  that  this  Com- 
mittee and  this  Congress  would  start  with  all  these  premises. 

It  is  obvious  that  HHS'  proposed  regulations  do  not  go  far  enough  because  of  the 
limited  scope  of  their  mandate,  but  the  flaws  in  the  proposal  are  deeper  than  this 
problem.  The  proposed  regulations  do  not  protect  the  confidential,  trusting  patient- 
caregiver  relationship  and  the  rules  as  now  written  actually  guarantee  extensive  ac- 
cess to  patients'  hemh-care  records.  The  rules  allow  doctors,  hospitals,  and  other 
health-care  providers  to  freely  disclose  and  use  confidential  medical  information 
without  patient  consent  for  treatment,  payment,  broadly-defined  "health-care  oper- 
ations" and  13  other  national  priorities.  Our  complete  comments  to  HHS  are  avail- 
able on  our  website  at  www.nationalcpr.org. 

We  \irge  the  committee  to  adopt  the  following  recommendations  if  it  decides  to 
seek  legislation  (Please  refer  to  Attachment  A  for  more  details): 

1)  Authorization  and  consent:  Permit  and  require  non-coerced  informed  patient 
consent  for  any  disclosures/ 

uses  of  identifiable  health  information.  This  is  essential  to  patient  autonomy,  dig- 
nity, confidentiaHty  and  privacy,  all  of  which  form  the  basis  of  a  trusting,  patient- 
provider  relationship  necessary  for  quality  health  care. 

2)  A  legal  floor  of  protection:  Retain  non-preemption  of  stronger  state  privacy  law 
and  include  any  State  law  that  recognizes  psychotherapist-patient  privilege. 

3)  Self-pay  option:  Allow  patients  the  right  to  decHne  disclosures  for  payment  and 
health  care  operations  if  they  pay  for  care  themselves. 

4)  No  National  Patient  Identifier:  National  CPR  opposes  the  implementation  of  a 
National  Patient  Identifier  or  system  that  accompUshes  linkage,  i.e.  a  master  pa- 
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tient  index.  We  strongly  recommend  the  repeal  of  that  provision  in  HIPAA^  consist- 
ent with  the  public  outcry  that  resulted  in  its  delayed  implementation  in  1998, 

5)  Computerization  of  records:  Allow  patients  to  decline  networked  computeriza- 
tion of  medical  information. 

6)  Sensitive  information:  EstabUsh  higher  protections  for  sensitive  information,  as 
is  already  done  in  the  proposed  regulations  for  psychotherapy.  This  could  be  accom- 
plished by  following  existing  statutes  that  already  protect  information  generally  ac- 
knowledged as  sensitive  or  stigmatizing  (substance  abuse,  mental  he^th,  commu- 
nicable and  sexually  transmitted  diseases,  HIV,  reproductive  information,  genetic 
testing,  abuse,  neglect,  domestic  violence,  and  sexual  assaxilt,  P.  333,  HHS  regula- 
tions). By  requiring  a  separate  consent  for  disclosure  of  this  information,  inadvert- 
ent disclosure  would  be  minimized. 

7)  Psychotherapy:  The  separate  consent  for  disclosure  of  psychotherapy  notes 
needs  to  include  other  purposes  (i.e.  public  health,  research,  oversight,  government 
health  data  systems,  coroners/medical  examiners,  law  enforcement,  next  of  kin,  and 
hospital  directories),  and  not  just  for  care,  payment  and  health  care  operations.  The 
only  exceptions  for  this  would  be  the  reporting  of  the  limited  information  required 
by  law  in  cases  of  imminent  danger  to  oneself  or  another,  and  abuse  or  neglect.  In 
addition,  we  suggest  using  the  Washington  D.C.  and  New  Jersey  peer  review  laws 
for  psychotherapy  as  a  model  for  the  information  therapists  could  disclose  for  care, 
payment  and  health  care  operations:  Patient's  name,  age,  sex,  address,  identification 
nimiber,  dates  and  type  of  service  (i.e.  individual,  family,  group),  fees,  diagnosis  and 
some  prognosis  (related  to  treatment  duration).  If  more  information  is  requested,  a 
peer-review  mechanism  is  used.  This  would  be  consistent  with  the  recent  Surgeon 
General's  Report  on  Mental  Health  (Chapter  7)  in  which  a  strong  case  was  made 
for  protecting  psychotherapy  communications  by  using  these  existing  state  statutes 
as  a  model.  In  doing  so,  you  would  enhance  the  higher  protections  you  already  rec- 
ommend for  psychotherapy  notes. 

8)  Research:  Require  either  patient  consent  or  a  prospective  delegated  blanket 
consent  to  a  Medical  Records  Review  Board  (MRRB)  or  similar  body  with  increased 
representation  from  the  local  geographic  community.  Prospective  consent  would  be 
obtained  upon  entry  into  a  health  care  facility,  at  the  start  of  treatment  or  upon 
enrollment  in  a  plan. 

The  policy  we  suggest  would  respect  people's  autonomy,  dignity  and  privacy  while 
allowing  needed  research  to  proceed.  If  adopted,  this  woidd  likely  encourage  wiUing 
participation  in  studies  and  open  communication  with  health  care  providers.  In  the 
final  analysis,  our  nation  will  benefit  not  only  from  patients'  candor,  but  also  from 
allowing  important  biomedical  and  health  services  research  to  go  forward. 

9)  Public  health:  Current  exceptions  for  disease-specific  reporting,  public  health 
investigations  in  which  there  is  imminent  danger  at  stake  should  remain  but  should 
not  apply  to  broadly-defined  routine  public  health  surveillance.  For  public  health 
surveillance  and  epidemiological  research,  use  the  same  policies  as  for  biomedical 
research,  with  a  strong  preference  for  informed  consent  (#8  above). 

10)  De-identified  information:  Include  coded  and  hnkable  iniformation  as  "pro- 
tected health  information". 

11)  Law  enforcement:  Access  to  medical  records  should  be  limited  to  court  order 
with  full  4th  amendment  protections  (rather  than  just  a  subpoena  or  law  enforce- 
ment investigation),  requiring  probable  cause  that  the  individual  has  committed  a 
crime.  In  fi'aud  investigations,  anonymous  records  should  be  used  to  determine 
firaudulent  patterns,  and  identifiable  information  used  only  if  there  is  evidence  of 
fi-aud  by  a  provider  or  patient  and  individual  identification  is  absolutely  necessary. 

It  is  critical  that  Congress  acts  wisely.  Our  medical  information  contains  much 
which  can  affect  our  sense  of  self,  our  dignity,  and  our  personal,  professional,  and 
financial  relationships.  Once  this  genie  of  information  is  released,  it  will  be  impos- 
sible to  put  back  into  the  privacy  bottle.  At  stake,  are  not  only  individual  lives,  but 
also  the  quafity  of  our  health  care  system.  Once  people  lose  trust  in  its  abihty  to 
hold  information  securely,  they  will  not  let  health  professionals  know  enough  to 
treat  them  effectively. 

Statement  of  the  American  Psychoanalytic  Association 

The  Health  Information  Privacy  Regulations  proposed  by  the  Administration  on 
November  3,  1999  represent  one  of  the  most  thoughtful  efforts  to  date  to  address 
the  growing  threat  to  the  privacy  of  identifiable  health  information.  The  preamble 
to  the  regulations  sets  forth  the  most  thorough  analysis  of  the  importance  of  medical 
information  privacy  to  quahty  health  care  and  the  pubhc's  confidence  in  the  health 
delivery  system.  With  the  exception  of  the  protection  for  "psychotherapy  notes," 
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however,  the  privacy  protections  in  the  proposed  regulations  do  not  fulfill  the  prom- 
ise of  the  preamble. 

As  the  preamble  notes,  the  preservation  of  health  information  privacy  is  a  "major 
concern"  of  citizens.  Health  information  privacy  is  also  essential  for  quality  health 
care  because  without  an  assurance  of  privacy,  individuals  will  not  make  the  disclo- 
sures to  physicians  and  other  caregivers  necessary  for  treatment  and  diagnosis, 
caregivers  will  not  accurately  record  information  in  the  medical  record  and  individ- 
uals will  refi^n  from  seeking  the  care  they  need. 

The  preamble  correctly  notes  that  an  assurance  of  "strict  confidentiality"  is  essen- 
tial for  patients  to  receive  effective  psychotherapy.  That  conclusion  is  supported  by 
the  "reason  and  experience"  reflected  in  the  therapist-patient  privilege  which  is  rec- 
ognized by  the  statutory  laws  in  all  50  states  and  the  District  of  Columbia,  both 
federal  and  state  common  law,  the  ethical  standards  of  every  mental  health  profes- 
sional association,  and  the  recently  released  Surgeon  General's  Report  on  Mental 
Health.  The  common  thread  of  all  of  these  laws  and  standards  is  that  therapist-pa- 
tient communications  cannot  be  disclosed  beyond  the  therapist  without  the  patient's 
consent. 

The  underlying  statute  directs  the  Secretary  to  issue  regulations  that  address  at 
least  the  rights  that  individuals  "should  have"  with  respect  to  their  identifiable 
health  information.  The  preamble  notes  that  privacy  is  a  fundamental  right  which 
is  an  element  of  the  constitutional  right  to  liberty,  but  the  regulations  make  no 
mention  of  an  individual's  right  to  privacy  for  identifiable  health  information. 

The  regulations  also  eliminate  the  traditional  requirement  of  obtaining  patient 
consent  before  disclosing  identifiable  health  information  except  for  marketing  and 
certain  other  "non-health"  related  uses.  Accordingly,  these  regulations  woiild  permit 
disclosure  of  most  identifiable  health  information  for  most  uses  without  patient  no- 
tice or  consent. 

In  an  exception  to  the  general  rule,  the  regulations  require  consent  for  the  disclo- 
sure of  "psychotherapy  notes"  for  the  purposes  of  treatment,  payment  and  health 
care  operations.  The  regulations,  however,  permit  the  disclosure  of  psychotherapy 
communications  that  do  not  come  within  the  narrow  definition  of  "psychotherapy 
notes"  and  do  not  recognize  even  that  narrow  exception  for  13  other  uses  character- 
ized as  "national  priorities."  Accordingly,  the  regulations  do  not  afford  the  protection 
for  psychotherapy  commimications  that  is  generally  accepted  as  being  essential  for 
effective  psychotherapy  services. 

The  preamble  to  the  regulations  recognizes  that  statutory  authority  has  not  been 
granted  to  permit  effective  enforcement  of  the  privacy  protections  contained  in  the 
regulations.  Further,  the  protections  in  the  regulations  are  unenforceable  because, 
in  the  absence  of  notice  of  specific  disclosures  or  consent,  individuals  will  have  no 
way  of  knowing  when,  where  and  to  whom  their  information  was  disclosed.  Two  of 
the  principal  privacy  protections  in  the  regulations — the  limitation  on  disclosures  to 
the  minimum  information  necessary  for  the  intended  use  and  the  "right  to  restrict" 
disclosures  that  are  otherwise  allowable — are  particularly  unenforceable.  The  infor- 
mation necessary  for  an  intended  use  varies  with  the  size  and  technical  capability 
of  the  disclosing  entity,  and  providers  have  a  right  to  refuse  any  request  to  restrict 
disclosures. 

The  regulations  appropriately  do  not  preempt  state  privacy  laws,  including  state 
common  laws,  which  furnish  "more  stringent"  privacy  protections.  The  recognition 
of  state  common  laws  is  particularly  appropriate  because  most  privacy  protections 
are  found  in  state  common  laws,  and  those  court  ruHngs  reflect  the  history  of  "rea- 
son and  experience"  in  those  states.  i.    ^  „  . 

The  American  Psychoanalytic  Association  believes  that  the  following  changes 
must  be  made  in  the  regulations  if  the  pubUc's  confidence  in  the  health  delivery  sys- 
tem is  to  be  preserved:  ,     , ,  , 

1.  Individuals'  right  to  privacy  for  identifiable  health  information  should  be  ex- 
pressly recognized.  ^  _   ,  ,  u 

2.  The  right  of  patients  to  give  or  withhold  consent  for  most  disclosures  should 
be  preserved.  , .   „  ,       .         ^  . 

3.  The  regulations  should  establish  "strict  confidentiahty"  protections  for  mental 
health  information  and  specify  the  information  that  may  be  disclosed  with  patient 
consent  to  third  party  payors.  This  approach  is  consistent  with  federal  and  state 
common  law  and  has  been  in  effect  for  15-20  years  in  New  Jersey  and  the  District 

of  Columbia.  •  •  ^.1. 

4.  The  privilege  recognized  for  psychotherapist-patient  commumcations  m  the 
1996  Supreme  Court  decision  in  Jaffee  v.  Redmond  should  be  recognized  in  the  reg- 
ulations. They  also  should  provide  that  any  disclosure  for  a  purpose  under  the  regu- 
lations will  not  constitute  a  waiver  of  the  federal  or  state  privilege. 
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5.  Patients  should  be  permitted  to  preserve  the  privacy  of  their  health  information 
by  paying  for  services  with  their  own  funds. 

Privacy  is  essential  for  quality  health  care,  but  it  is  also  an  indispensable  element 
of  the  right  to  liberty — one  of  the  core  principles  of  our  Constitution.  These  prin- 
ciples have  been  forged  and  preserved  through  the  sacrifices  of  prior  generations. 
With  the  consideration  of  the  right  to  medical  privacy,  we  reach  one  of  those  critical 
points  in  our  nation's  history  when  we  must  decide  whether  we  remain  committed 
to  those  principles. 

Prepared  Statement  of  American  Healthways,  Inc. 

American  Healthways,  Inc.  ("AMHC"),  the  successor  corporate  name  of  American 
Healthcorp,  Inc.,  appreciates  the  opportunity  to  submit  the  following  comments  for 
inclusion  in  the  record  of  the  Senate  Health,  Education,  Labor  and  Pensions  Com- 
mittee Hearing  on  Medical  Records  Privacy  on  April  26,  2000. 

Overall  AMHC  strongly  supports  the  Department  of  Health  and  Human  Services' 
proposed  privacy  regulations  published  at  64  Fed.  Reg.  59,918  (Nov.  3,  1998),  par- 
ticularly the  inclusion  of  disease  management  in  the  definition  of  treatment.  It  is 
imperative  to  legitimate  disease  management  organizations  that  the  use  and  disclo- 
sure of  identifiable  health  information  for  disease  management  be  permitted  with- 
out individual  authorizations  and  without  physician  approval.  This  is  currently  per- 
mitted in  the  proposed  regulations  and  is  essential  to  the  continued  operation  and 
success  of  disease  management  programs.  AMHC  and  similar  disease  management 
organizations,  however,  are  extremely  concerned  about  the  lack  of  a  uniform  stand- 
ard. Accordingly,  AMHC  believes  that  complete  federal  preemption  of  all  state  medi- 
cal privacy  laws  is  imperative. 

AMHC,  headquartered  in  Nashville,  Tennessee,  is  the  nation's  leading  operator  of 
care  and  disease  management  services  with  160,000  lives  under  management. 
AMHC's  Diabetes  Healthways,  Cardiac  Healthways,  and  Respiratory  Healthways 
programs  have  proved  effective  at  significantly  improving  health  status  and  decreas- 
ing overall  cost  for  these  disease  populations. 

The  privacy  of  individually  identifiable  health  information  is  of  utmost  importance 
to  AMHC.  AMHC  has  extensive  policies  and  procedures  to  protect  patient  confiden- 
tiality. As  a  result,  neither  AMHC  nor  its  clients  have  received  a  single  confidential- 
ity or  privacy  complaint  regarding  AMHC's  disease  management  programs.  AMHC 
provides  these  comments  to  the  Subcommittee  from  this  perspective. 

DISEASE  management  IN  THE  PROPOSED  REGULATIONS 

The  proposed  regulations  allow  a  covered  entity  to  use  or  disclose  protected  health 
information  without  individual  authorization  "to  carry  out  treatment,  payment,  or 
health  care  operations."  "Treatment"  is  defined  as  "the  provision  of  health  care  by, 
or  the  coordination  of  health  care  (including  health  care  management  of  the  individ- 
ual through  risk  assessment,  case  management,  and  disease  management)  among, 
health  care  providers;  the  referral  of  a  patient  from  one  provider  to  another;  or  the 
coordination  of  health  care  or  other  services  among  health  care  providers  and  third 
parties  authorized  by  the  health  plan  or  the  individual."  Under  this  definition,  use 
and  disclosure  of  protected  health  information  for  disease  management  is  permis- 
sible without  individual  authorization. 

It  is  imperative  that  this  be  maintained.  The  use  of  identifiable  health  informa- 
tion without  patient  authorization  is  essential  to  the  ability  of  disease  managers 
such  as  AMHC  to  provide  and  obtain  the  greatest  benefits  for  patients  from  its  dis- 
ease management  services. 

AMHC  has  utilized  both  an  enrollment  or  "opt-in"  model  and  an  engagement  or 
"opt-out"  model  for  its  disease  management  programs.  Under  the  enrollment  model, 
individuals  choose  whether  to  participate  in  the  disease  management  program.  In 
an  engagement  model,  plan  members  are  automatically  provided  the  benefit  of  the 
disease  management  program,  but  may  choose  to  "opt-out"  of  participation.  Al- 
though an  argument  might  be  made  that  the  enrollment  model  provides  greater  pri- 
vacy protection,  it  unnecessarily  intrudes  upon  the  existing  coordination  of  care,  pro- 
ducing vastly  inferior  health  care  outcomes  to  the  engagement  or  "opt-out"  model. 

By  way  of  direct  comparison,  AMHC  documented  that  with  the  engagement  model 
AMHC's  programs  achieve  98  percent  participation,  compared  to  less  than  30  per- 
cent for  a  tvpical  enrollment  model.  Additionally,  cost  savings  are  dramatically  less 
for  an  enrollment  model.  For  example,  annualized  diabetes  health  care  cost  savings 
for  an  average  100,000  member  plan  under  the  engagement  model  is  $1,738,716  as 
compared  to  only  $443,550  for  an  enrollment  model. 

The  reason  for  the  difference  in  participation  rates  and  cost  savings  is  that  people 
with  chronic  diseases  often  suffer  from  inertia  and  denial  about  their  disease.  The 
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engagement  process  circumvents  this  avoidance  tendency.  Typically,  the  individuals 
who  opt-in  are  the  healthier  patients  who  are  already  highly  motivated  to  manage 
their  disease.  These  people  are  less  in  need  of  the  extensive  disease  management 
programs  and,  therefore,  the  clinical  improvements  in  these  patients  (with  their  con- 
comitant cost  savings),  while  still  present,  are  less  significant. 

An  engagement  model  strikes  the  right  balance  between  the  competing  interests 
of  individual  privacy  rights  on  the  one  hand  and  the  tremendous  chnical  and  finan- 
cial benefits  of  disease  management  on  the  other.  Allowing  individuals  to  opt-out 
still  provides  individuals  a  choice  and  yet  retains  the  tremendous  chnical  and  finan- 
cial benefits  of  disease  management  for  the  largest  number  of  individuals.  Moreover, 
because  disease  managers  are  business  partners,  confidentiahty  of  protected  health 
information  remains  protected  from  secondary  use  or  disclosure.  Accordingly,  dis- 
ease management  programs  must  be  allowed  to  continue  to  use  and  receive  pro- 
tected health  information  for  disease  management  without  patient  authorization. 

COMPLETE  FEDERAL  PREEMPTION 

In  the  proposed  regulations,  HHS  states  "HIPAA  provides  that  the  rule  promul- ~ 
gated  by  [HHS]  may  not  preempt  state  laws  that  are  in  conflict  with  the  regulatory 
requirements  and  that  provide  greater  privacy  protections."  Although  HHS  may  lack 
the  authority  to  preempt  state  privacy  laws,  complete  preemption  of  state  laws  is 
imperative.  AMHC  thus  far  has  managed  to  operate  in  comphance  with  all  applica- 
ble state  laws.  However,  maneuvering  around  the  varying  and  often  incompatible 
requirements  of  so  many  state  laws  has  been  difficult.  Soon,  the  task  may  be  impos- 
sible. Since  the  nation's  attention  has  been  focused  on  medical  records  privacy 
issues,  many  states  have  enacted  new  privacy  laws  and  almost  all  states  have  sig- 
nificant privacy  legislation  pending. 

Cahfomia  recently  enacted  a  new  privacy  statute  which  only  allows  disclosure  of 
identifiable  health  information  for  disease  management  if  the  services  are  approved 
by  the  patient's  primary  care  provider.  The  health  plans,  more  ofl;en  than  providers, 
contract  with  AMHC  for  the  provision  of  disease  management  services.  Individuals, 
therefore,  are  entitled  to  disease  management  services  by  virtue  of  their  member- 
ship in  the  plan,  not  as  a  function  of  their  relationship  with  a  physician.  Individuals 
should  be  able  to  decide  whether  to  "opt-out"  of  participation  in  the  disease  manage- 
ment program  offered.  Physicians  should  not  be  permitted  to  impede  the  provision 
of  these  services  to  their  patients.  The  requirement  that  the  physician  authorize  dis- 
ease management  services  imposes  an  additional  administrative  burden  that  wiU 
substantially  diminish  the  number  of  CaHfomians  who  may  benefit  from  disease 
management  services. 

Some  state  privacy  laws  directly  conflict  with  others,  making  it  impossible  to  pro- 
vide the  same,  consistent  services  to  residents  of  different  states.  Health  plans  that 
contract  with  national  employers  (e.g..  Federal  Express)  want  and  need  to  provide 
a  uniform  set  of  benefits  to  all  their  employees.  This  is  impossible  with  the  varying 
and  ofl^n  conflicting  state  laws  and  requirements.  In  addition,  a  health  plan  which 
is  national  in  scope  (e.g.,  Cigna)  needs  the  abihty  to  sell  and  dehver  uniform  prod- 
ucts, again  extremely  onerous,  if  not  impossible,  without  one  uniform  standard. 

Furthermore,  disease  managers  such  as  AMHC  must  keep  abreast  of  all  state 
laws  and  ensure  comphance  with  each  state's  nuances,  requirements  and  prohibi- 
tions. This  is  becoming  extremely  difiicult  and  significantly  adds  to  the  cost  and 
burdens  on  the  deHvery  of  health  care,  generally,  and  disease  management  services, 
specifically. 

Finally,  it  is  often  difficult  to  know  which  state's  laws  apply.  It  is  conceivable  that 
for  one  transfer  of  protected  health  information,  several  states'  laws  could  be  apph- 
cable.  For  example,  in  the  disclosure  of  protected  health  information  fi-om  a  health 
plan  to  a  disease  management  organization,  the  following  state  laws  could  apply: 
(1)  the  state  in  which  the  health  plan  (the  disclosing  entity)  is  based,  (2)  the  state 
in  which  the  business  partner  (the  receiving  entity)  is  based,  (3)  the  state  in  which 
the  health  care  services  contained  in  the  protected  health  information  were  ren- 
dered, (4)  the  state  in  which  the  disease  management  services  are  provided  and  (5) 
the  state  in  which  the  individual  patient  resides.  Thus,  it  is  entirely  possible  that 
inconsistent  standards  and  requirements  could  apply  to  one  disclosure  or  use  of  pro- 
tected health  information.  The  uncertainty  of  which  laws  apply  as  well  as  the  com- 
plexity and  difficulty  in  complying  with  the  various  state  laws  will  likely  cripple  the 
delivery  of  health  care  and  disease  management  services,  especially  as  states  con- 
tinue to  enact  more  sophisticated,  compHcated  and  extensive  health  care  privacy  leg- 
islation. 

Accordingly,  to  preserve  the  continued  provision  of  high  quahty,  affordable  health 
care  incluchng  disease  management  services,  complete  federal  preemption  of  state 
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privacy  laws  is  imperative.  Without  preemption,  the  processes  associated  with  the 
delivery  of  health  care  could  come  to  a  screeching  halt  as  they  did  in  Maine  when 
that  State  enacted  an  over-zealous  privacy  law. 

Congress  should  either  provide  HHS  with  such  preemption  authority  or  them- 
selves exercise  congressional  authority  to  provide  complete  federal  preemption  of 
state  medical  privacy  laws.  One  consistent,  uniform  standard,  especially  given  the 
electronic  world  in  which  we  now  find  ourselves,  is  absolutely  imperative  and  ur- 
gently needed.  Congress  has  the  authority  to  preempt  state  laws  in  this  area  as  the 
electronic  exchange  of  identifiable  health  information  involves  interstate  commerce 
as  it  is  an  interstate  activity.  Health  plans,  employers,  providers  and  disease  man- 
agers often  provide  services  to  individuals  in  multiple  states.  Accordingly,  Congress 
must  exercise  its  preemption  authority  to  ensure  uniformity  and  clarity  in  the  use, 
disclosure  and  protection  of  identifiable  health  information. 

Prepared  Statement  of  the  Consortium  for  Citizens  with  Disabilities 
I.  general  privacy  concerns 

The  Consortium  for  Citizens  with  Disabilities  (CCD)  is  a  Washington-based  coali- 
tion of  approximately  100  national  disability,  consumer,  advocacy,  provider  and  pro- 
fessional organizations  that  advocate  on  behalf  of  the  54  million  children  and  adults 
with  disabilities  and  their  families  in  the  United  States.  As  advocates  for  people 
with  disabilities,  CCD  supports  strong  privacy  protections  that  give  health  care  con- 
sumers confidence  that  their  information  will  be  used  appropriately  and  that  permit 
the  continued  viability  of  medical  research  and  dehvery  of  quahty  health  care. 

All  persons  who  receive  health  care  services  have  reason  to  be  concerned  with  the 
inappropriate  use  of  highly  personal  information  that  is  collected  about  them  within 
the  health  care  system.  As  a  coalition  representing  people  Uving  with  disabilities, 
however,  CCD's  views  on  this  issue  are  somewhat  unique.  Because  people  with  dis- 
abilities have  extensive  medical  records  and  sometimes  stigmatizing  conditions, 
such  individuals  feel  a  particular  urgency  to  ensure  that  proper  privacy  protections 
are  in  place.  At  the  same  time,  many  people  with  disabilities  interact  almost  daily 
with  the  medical  establishment  and  thus  benefit  from  a  well-run,  effective  health 
care  system.  Such  individuals  do  not  want  privacy  protection  to  reduce  the  effective- 
ness of  the  health  care  system  they  must  navigate. 

CCD  has  been  actively  involved  in  the  medical  privacy  debate,  and  believes  that 
the  desire  for  medical  privacy  and  the  desire  for  an  effective  health  care  system  are 
neither  in  conflict  with  each  other,  nor  do  they  require  "balancing"  of  one  interest 
against  another.  Rather,  establishing  privacy  protection  can  enhance  the  operation 
of  the  health  care  system  by  increasing  individuals'  trust  and  confidence  in  that  sys- 
tem. A  national  survey  released  in  January  1999  found  that  one  in  six  Americans 
engages  in  some  form  of  "privacy  protective  behavior"  because  he  or  she  is  afi^id 
of  confidentiality  breaches  regarding  sensitive  medical  information.  These  activities 
include  withholding  information  from  health  care  providers,  providing  inaccurate  in- 
formation, doctor-hopping  to  avoid  a  consoUdated  medical  record,  paying  out  of  pock- 
et for  care  that  is  covered  by  insurance,  and-in  some  cases-avoiding  care  altogether. 
None  of  this  is  good  for  either  consumers  or  the  health  care  system. 

II.  GENERAL  APPROACH  OF  THE  PROPOSED  REGULATIONS 

CCD  applauded  the  President  and  the  Secretary's  action  to  release  the  proposed 
rule.  Afl;er  reviewing  the  proposal,  we  continue  to  beheve  that  the  Department  of 
Health  and  Human  Services'  efforts  hold  the  potential  to  significantly  increase  pri- 
vacy protections,  and  equally  important,  provide  people  new  assurances  that  their 
deeply  personal  medical  information  will  be  used  appropriately.  We  also  believe  that 
the  proposal  provides  an  important  foimdation  for  Congress  to  build  upon  in  protect- 
ing privacy  and  maintaining  quaUty  health  care.  We  are  particularly  pleased  that 
the  proposed  rule  would  not  pre-empt  more  protective  state  laws  and  acknowledges 
that  people  with  disabilities  and  other  sensitive  conditions  may  need  special  protec- 
tions (such  as  through  the  handling  of  psychotherapy  notes).  We  are  also  pleased 
that  the  proposed  rule  requires  covered  entities  to  contract  with  business  partners 
and  name  as  third  party  beneficiaries  individuals  whose  protected  health  informa- 
tion is  used  or  disclosed.  We  commend  the  Secretary  for  proposing  that  individuals 
be  permitted  to  access  and  copy  their  health  information.  We  are  also  pleased  that 
the  Secretary  acknowledges  the  continued  need  for  federal  legislation  to  fill  gaps  the 
Secretary  did  not  have  authority  to  cover  imder  the  Health  Insurance  Portability 
and  AccountabiUty  Act  of  1996  (HIPAA). 
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While  we  acknowledge  the  leadership  of  the  President  and  Secretary  in  moving 
the  process  forward,  we  have  foiind  areas  in  the  proposed  rule  that  we  find  unwork- 
able or  that  need  bolstering. 

in.  COMMENTS  TO  PROPOSED  RULE 

The  Secretary  published  her  proposed  rule  in  the  Federal  Register  on  November 
3,  1999.  While  the  initial  comment  period  was  scheduled  to  close  on  January  3, 
2000,  in  an  effort  to  ensure  that  all  interested  parties  had  appropriate  time  to  sub- 
mit comments,  the  Secretary  extended  the  comment  period  until  February  17,  2000. 
CCD  believes  that  the  Secretarjr's  extension  of  the  comment  period  is  indicative  of 
her  effort  to  ensure  that  parties  have  their  concerns  considered  for  the  final  rule. 
CCD  believes  the  Secretary  will  carefiilly  and  thoughtfully  review  and  consider  each 
of  the  comments  she  received  in  accordance  with  the  Administrative  Procedure  Act. 
The  Administrative  Procedure  Act  has  appropriate  safeguards  to  ensure  that  any 
final  rule  take  into  consideration  "relevant  matter  presented."  5  U.S.C.A.  §553 
(1966). 

CCD  is  concerned  that  an  additional  review  by  the  Government  Accounting  Office 
(GAO)  prior  to  the  final  rule  is  inappropriate  and  unnecessary  and  would  not  facili- 
tate the  rulemaking  process.  CCD  has  been  informed  that  the  Secretary  received 
over  50,000  comments  of  which  a  significant  majority  were  fi:x)m  consumers  who  are 
very  interested  in  a  final  rule.  At  tiiis  stage,  a  review  by  GAO  inappropriately  as- 
sumes that  the  Secretary  has  acted  improperly.  CCD  strongly  believes  that  the  Sec- 
retary should  be  given  an  opportunity  to  review  comments  and  issue  a  final  rule 
before  any  review  by  GAO.  It  is  unclear  what  purpose  a  review  at  this  stage  would 
serve.  Such  a  review  prior  to  the  final  rule  would  also  be  inconsistent  with  the  dele- 
gation of  authority  under  HIPAA.  HIPAA  mandated  that  the  Secretary  issue  regula- 
tions if  Congress  failed  to  enact  comprehensive  medical  privacy  legislation  by  Au- 
gust, 1999.  Now  that  the  Secretary  is  working  to  promulgate  a  final  rule,  it  would 
appear  that  Congress  seeks  to  unnecessarily  scrutinize  the  Secretary's  efforts.  We 
strongly  believe  mat  any  evaluation  of  the  comments  should  be  conducted  afi;er  the 
final  rule.  Because  Congress  failed  to  meet  its  self-imposed  August  1999  deadline, 
CCD  strongly  believes  that  timely  promulgation  of  the  final  rule  in  accordance  with 
HIPAA  is  extremelv  important.  CCD  urges  Congress  to  facilitate  this  process  by  not 
taking  any  action  tnat  would  stall  implementation  of  the  final  rule. 

IV.  THE  SECRETARY'S  AUTHORITY  UNDER  HIPAA 

The  delegation  under  HIPAA  limited  the  Secretary's  authority  in  three  important 
areas.  The  Secretary  only  had  authority  to  cover  health  plans,  health  clearinghouses 
and  certain  health  care  providers,  and  information  transmitted  or  maintained  elec- 
tronically. HIPAA  also  did  not  provide  a  private  right  of  action  for  individuals  whose 
health  information  has  been  improperly  used  or  disclosed.  We  encourage  Congress 
to  enact  legislation  to  fill  these  gaps. 

A  Covered  Entities 

While  the  Secretary  covered  entities  permitted  under  HIPAA,  unfortunately, 
many  entities  (such  as  life  insurers,  employers  and  marketing  firms)  that  receive, 
use  and  disclose  protected  health  information  are  not  required  to  comply  with  the 
regulations.  We  believe  that  directly  covering  these  entities  is  necessary  to  ade- 
quately protect  patient  privacy.  While  we  believe  that  entities  who  receive  informa- 
tion should  be  directly  covered  at  the  federal  level,  we  commend  the  Secretary  for 
acting  within  the  limits  of  HIPAA  and  constructing  the  business  partner  rules  to 
cover  entities  who  regularly  use  and  disclose  protected  health  information. 

B.  Covered  Information 

As  part  of  administrative  simplification,  HIPAA,  arguaoly,  limited  the  Secretary's 
authority  to  protect  only  information  transmitted  or  maintained  electronically. 
While  the  Secretary  discusses  her  authority  at  length,  we  are  concerned  that  people 
with  disabilities  may  be  reluctant  to  seek  care  or  to  honestly  discuss  sensitive 
health  conditions  if  all  of  their  health  information  is  not  confidential.  Privacy  is  es- 
pecially important  to  people  with  disabihties  because  they  may  have  stigmatizing 
conditions  which,  if  disclosed,  could  result  in  discrimination  and  embarrassment. 
Because  of  the  complexity  of  the  health  care  system,  most  patients  will  never  know 
what  information,  if  any,  is  stored  electronically.  Even  if  patients  are  able  to  deter- 
mine what  information  is  maintained  electronically,  they  will  likely  fear  that  some 
portion  is  in  paper  format.  Without  privacy  protection  for  all  health  mformation, 
people  with  disabilities  will  be  reluctant  to  discuss  their  condition.  We  know  that 
this  leads  to  bad  health  outcomes  and,  in  some  cases,  would  cause  people  to  forego 
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medical  care  entirely.  The  only  way  to  ensure  patient  confidence  in  the  health  care 
system  is  to  make  the  proposed  rule  applicable  to  all  information. 

C.  PRIVATE  RIGHT  OF  ACTION 

Under  the  proposed  rule,  individuals  whose  protected  health  information  has  been 
improperlv  used  or  disclosed  will  have  no  recourse.  While  we  recognize  that  the  Sec- 
retary did.  not  have  authority  under  HIPAA  to  create  a  private  right  of  action,  we 
strongly  beUeve  that  Congress  should  enact  legislation  to  fill  this  important  gap. 
Many  federal  privacy  statutes  have  private  right  of  action  provisions  including  the 
Privacy  Act  of  1974  (5  U.S.C.  552a),  Electronic  Communications  Privacy  Act  (18 
U.S.C.  2701  et  seq.),  Right  to  Financial  Privacy  Act  (12  U.S.C.  3401  et  seq.),  Fair 
Credit  Reporting  Act  (15  U.S.C.  1681  et  seq.),  Cable  Communications  Act  (47  U.S.C. 
551),  Videotape  Privacy  Protection  Act  (18  U.S.C.  2710)  and  the  Driver's  Privacy 
Protection  Act  (18  U.S.C.  2721  et  seq.). 

V.  IMPORTANT  AREAS  WHERE  THE  REGULATION  COULD  BE  IMPROVED 

While  we  have  many  concerns  with  the  proposed  rule,  we  believe  that  the  rule 
provides  greater  protections  than  exist  today  and  is  an  important  foundation  upon 
which  to  build.  ^Hiile  we  have  submitted  comprehensive  comments  to  the  Secretary, 
we  have  highlighted  five  important  areas  for  people  with  disabilities,  and  beUeve, 
at  a  minimum,  the  following  changes  are  necessary:  (1)  require  covered  entities  to 
obtain  a  written  authorization  prior  to  using  or  disclosing  protected  health  informa- 
tion for  treatment,  payment  and  health  care  operations,  (2)  require  entities  to  obtain 
authorization  prior  to  communicating  with  the  individual  about  sensitive  health  con- 
ditions, (3)  require  covered  entities  to  first  determine  whether  de-identified  informa- 
tion can  be  used  to  accomplish  the  purpose  of  the  use  or  disclosure,  (4)  prohibit  dis- 
closure of  protected  health  information  for  law  enforcement  piuposes  without  a  war- 
rant firom  a  neutral  judicial  officer,  and  (5)  extend  protections  of  tiie  regulations  to 
all  individually  identifiable  health  information. 

A  Signed  Authorization  for  Treatment,  Payment  and  Health  Care  Operations 

(Section  164.506  Uses  and  disclosures  of  protected  health  information:  genered 
rules) 

The  proposed  rule  permits  covered  entities  to  use  and  disclose  protected  health 
information  for  treatment,  payment  and  health  care  operations  without  individual 
authorization.  A  signed  authorization  fix>m  the  individual  is  extremely  important. 
This  issue  was  addressed  at  length  bv  the  Health  Privacy  Working  Group,  a  panel 
comprised  of  diverse  stakeholders  including  disability  and  mental  health  advocates, 
health  plans,  providers,  employers,  standards  and  accreditation  representatives,  and 
experts  in  public  health,  medical  ethics,  information  systems  and  health  policy.  See 
Best  Principles  for  Health  Privacy,  a  Report  of  the  Health  Privacy  Working  Group 
(July  1999).  This  diverse  group  noted  that,  as  a  general  rule,  requiring  patient  au- 
thorization prior  to  disclosure  can:  bolster  patient  trust  in  providers  and  health  care 
organizations  by  acknowledging  the  patient's  role  in  health  care  decisions;  serve  as 
recognition  that  notice  was  given  and  the  patient  was  aware  of  the  risks  and  bene- 
fits of  disclosiu-e;  and  define  an  "initial  moment"  in  which  patients  can  raise  ques- 
tions about  privacy  concerns  and  learn  more  about  options  available  to  them. 

We  find  the  Secretary's  proposed  rule  extremely  troublesome  because  it  does  not 
require  patient  authorization,  and  in  fact,  prohibits  covered  entities  fi*om  obtaining 
authorizations  unless  required  by  State  law.  Unless  the  current  regulatory  author- 
ization for  treatment,  payment  and  health  care  operations  is  modified,  CCD  would 
oppose  implementation  of  the  rules  that  permit  entities  to  use  information  without 
authorization.  In  a  world  of  managed  care,  the  Administration  and  many  health  and 
consvuner  interests  have  been  dedicated  to  shift;ing  popular  culture  to  embrace  the 
concept  of  the  "empowered  patient."  Many  observers  befieve  that  the  best  way  to 
make  managed  care  work  is  for  patients  to  become  self-advocates,  active  in  working 
the  system  so  they  get  the  care  they  need.  Dismantling  the  current  authorization 
system  runs  counter  to  this  approach.  The  Secretary's  approach  disempowers  pa- 
tients by  taking  away  their  ability  to  actively  control  access  to  their  own  protected 
health  information. 

Patients  should  be  encouraged  to  be  active  participants  in  their  own  health  care- 
and  the  authorization  process  should  be  an  integral  piece  of  that  picture.  A  signed 
authorization  provides  a  unique  opportunity  for  the  individual  to  understand  the 
uses  and  disclosures  of  her  health  information.  This  process  will  increase  individual 
awareness  of  the  risks  and  benefits  of  such  uses  and  disclosures.  While  the  Sec- 
retary states  that  individuals  are  not  likely  to  know  "all  the  possible  uses,  disclo- 
sures, and  re-disclosiu*es  to  which  their  information  will  be  subject,"  individuals 
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should  be  informed,  to  the  extent  practicable,  of  how  information  will  be  used  and 
to  whom  it  may  be  disclosed.  See  64  Fed.  Reg.  59918,  59940  (Nov.  3,  1999).  A  signed 
authorization  will  give  individuals  an  opportunity  to  review  the  authorization  and 
create  an  "initial  moment"  in  which  the  patient  can  address  her  privacy  concerns. 
When  discrepancies  between  an  individusd's  privacy  concerns  and  the  covered  enti- 
ty's use  and  disclosure  of  information  arise,  the  signed  authorization  will  provide 
an  opportunity  for  the  individual  to  ask  questions  about  how  her  information  will 
be  used  and  disclosed. 

The  Secretary  states  three  reasons  for  not  adopting  a  signed  authorization  ap- 
proach: (1)  authorizations  provide  individuals  with  httle  actual  control  over  their 
health  information,  (2)  consent  is  often  not  voluntary  because  the  individual  must 
sign  the  form  as  a  condition  of  treatment  or  payment,  and  (3)  individuals  are  often 
asked  to  sign  broad  authorizations  but  are 

provided  little  or  no  information  about  how  their  health  information  will  be  used. 
64  Fed.  Reg.  59918,  59940  (1999). 

We  find  the  Secretary's  rationale  troubling.  The  Secretary  has  the  authority  to  im- 
prove the  current  authorization  process  but  states  current  problems  as  the  reason 
not  to  empower  patients.  Even  if  the  Secretary  chooses  not  to  empower  patients,  her 
rationale  that  authorizations  provide  individuals  with  Uttle  actual  control  and  con- 
sent is  often  not  voluntary  does  not  consider  the  importance  of  the  "initial  moment." 
As  discussed  above,  this  moment  gives  individuals  uie  chance  to  learn  about  the  use 
and  disclosure  of  her  information  and  ask  questions,  voice  concerns  or  negotiate,  if 
possible.  The  Secretary's  rationale  also  fails  to  consider  the  reality  of  receiving  medi- 
cal treatment  for  sensitive  conditions.  We  know  that  for  stigmatizing  conditions, 
such  as  HIV  or  sexually  transmitted  diseases,  individuals  exercise  control  by  fore- 
going treatment  or  choosing  to  self-pay  for  specific  services  under  an  assumed  name. 
Authorizations  would  help  these  individuals  learn  more  about  the  use  and  disclo- 
sure of  their  iriformation  so  they  can  feel  comfortable  receiving  treatment  and  pro- 
viding accurate  information  to  providers. 

Because  many  covered  entities  currently  obtain  signed  authorizations,  there 
would  be  littie,  if  any,  additional  administrative  burden.  See  64  Fed.  Reg.  59918, 
59940  (1999).  We  see  no  reason  to  reduce  current  protections  afforded  to  consmners. 
As  covered  entities  increase  commxmications  with  individuals,  provide  individuals 
with  opportunities  to  understand  how  their  information  is  being  used  and  disclosed, 
and  allow  individuals  to  negotiate,  individuals  will  feel  that  they  have  more  control 
over  their  healtii  care  decisions.  These  simple  but  important  changes  will  likely  im- 
prove the  public's  perception  of  the  health  care  system. 

B.  Individual  Authorization  for  Sensitive  Health  Conditions 

(Section  164.508  Uses  and  disclosures  for  which  individual  authorization  is  re- 
quired) 

Requiring  entities  to  obtain  authorization  fi*om  an  individual  before  communicat- 
ing with  the  individual  about  sensitive  health  conditions  is  also  very  important.  Peo- 
ple with  disabilities  who  seek  sensitive  health  care  services  have  heightened  concern 
that  their  medical  condition  or  treatment  may  be  inadvertently  disclosed  to  others 
such  as  roommates,  house  mates,  family  members,  neighbors,  employers  or  others 
who  may  want  to  cause  harm. 

Covered  entities  should  be  required  to  protect  against  inadvertent  disclosures  of 
protected  health  information  concerning  sensitive  health  care  services  [defined  as 
services  relating  to  reproductive  health,  sexually  transmissible  diseases  (whether  or 
not  transmitted  in  any  particidar  case),  substance  abuse,  or  mental  health]  by  ob- 
taining the  individual's  authorization  prior  to  communicating  with  the  individual  (or 
the  policyholder).  ,  v    ,  ,  j  • 

Sensitive  health  care  services  often  involve  the  most  personal  health  care  deci- 
sions. Individuals  with  sensitive  health  conditions  face  unique  confidentiaUty  con- 
cerns because  they  are  the  most  Ukely  to  suffer  discrimination  or  stigmatization  as- 
sociated with  such  conditions.  It  is  very  important  that  people  with  disabilities  who 
have  sensitive  conditions  be  able  to  control  where  and  how  information  about  sen- 
sitive conditions  is  communicated  to  them.  For  example,  a  person  hving  with  HIV 
may  want  to  ensure  that  a  covered  entity  does  not  send  any  information  about 
health  services  to  her  work  address  because  she  fears  her  employer  or  co-worker 
may  discriminate  against  her.  .  -  £_ 

We  believe  that  covered  entities  should  be  required  to  obtain  authorization  trom 
the  individual  prior  to  all  communications  with  the  individual  regarding  sensitive 
health  care  services.  All  communications  with  the  individual  should  be  protected  be- 
cause it  is  very  difficult  to  determine  exactly  where  in  the  chain  of  commumcation 
an  individual's  information  could  result  in 

stigmatization,  discrimination,  retaliation  or  other  harm. 
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The  Secretary  acknowledged  in  her  prefatory  language  that  covered  entities  al- 
ready have  the  ability  to  implement  and  track  patient  authorizations.  64  Fed.  Reg. 
59918,  59946  (1999).  Furthermore,  the  regulations  reauire  authorizations  for  (1) 
uses  and  disclosures  other  than  treatment,  payment  ana  health  care  operations,  (2) 
uses  and  disclosures  of  psychotherapy  notes,  and  (3)  uses  and  disclosures  for  re- 
search unrelated  to  treatment.  Because  an  authorization  framework  is  in  place,  we 
do  not  beUeve  that  an  authorization  for  sensitive  health  conditions  woxild  oe  a  sig- 
nificant burden. 

C.  De-identified  Information 

(Section  164.506(b)(1)  Standard:  minimum  necessary) 

We  strongly  believe  that  entities  should  first  be  required  to  determine  whether 
de-identified  information  can  be  used  or  disclosed  to  accompHsh  the  intended  pur- 
pose. While  we  agree  with  the  Secretary's  general  approach  that  entities  use  or  dis- 
close only  the  minimum  amount  necessary,  we  believe  that  a  clear  statement  that 
entities  must  first  consider  de-identified  information  is  the  only  way  to  ensure  that 
the  minimxmi  amount  standard  is  adequately  implemented. 

Requiring  entities  to  use  and  disclose  de-identified  information  will  help  ensure 
that  only  the  minimiun  amount  will  be  used.  Presumably,  de-identified  information 
is  part  of  the  minimum  amount  necessary  evaluation.  While  proposed  section 
164.506(d)  defines  de-identified  protected  health  information,  it  is  unclear  when,  if 
at  all,  an  entity  must  use  de-identified  information. 

We  beheve  that  a  de-identified  requirement  is  consistent  with  the  Secretary's  pro- 
posed minimum  amount  requirement.  In  fact,  in  the  prefatory  language  to  the  mini- 
mum amount  requirement,  the  Secretary  notes  that  stripping  individually 
indentifiable  information  of  identifiers  is  currently  used  for  analytical,  statistical 
and  research  purposes.  64  Fed.  Reg.  59918,  59946  (1999). 

While  the  Secretary  states  that  section  164.506(d)  is  intended  to  permit  important 
research  to  continue,  certainly  there  are  benefits  to  requiring  all  covered  entities  to 
consider  de-identified  information.  Re(juiring  entities  to  consider  de-identified  infor- 
mation will  limit  the  ability  of  all  recipients  to  Unk  the  information  to  individuals. 

D.  Law  Enforcement 

(Section  164.510(f)  Disclosures  for  law  enforcement  purposes) 
We  are  also  very  concerned  about  the  Secretary's  proposed  section  164.510(f). 
Under  the  proposed  rule,  people  with  disabiUties  may  have  their  health  information 
disclosed  to  law  enforcement  officials  without  any  legal  process.  We  \irge  the  final 
regulation  require  law  enforcement  to  obtain  legal  process-such  as  a  warrant  or 
court  order-that  is  judicially-approved  after  application  for  a  Fourth  Amendment 
probable  cause  standard. 

These  same  requirements  exist  in  other  federal  privacy  statutes  protecting  peo- 
ples' communications,  cable  subscriber  records  and  even  video  rental  lists.  None  of 
these  laws  are  absolute  bars  to  law  enforcement  access.  The  procedural  safeguards 
ensure  that  accoimtability  and  oversight  prevent  unwarranted  and  unjustified  abuse 
of  authority. 

E.  Paper  Records 

(Section  164.502  Applicability) 

As  discussed  above,  as  part  of  administrative  simplification,  the  Secretary's  au- 
thority was  limited  to  information  electronically  maintained  or  transmitted.  We  are 
concerned  that  people  with  disabiUties  may  be  reluctant  to  seek  care  or  honestly  dis- 
cuss their  health  condition  if  all  of  their  health  information  is  not  confidential.  Pri- 
vacy is  especially  important  to  those  with  disabiUties  because  if  information  about 
their  disabiUty  or  condition  is  disclosed  they  may  suffer  discrimination,  embarrass- 
ment or  stigmatization.  Because  of  the  complexity  of  the  health  care  system,  most 
patients  will  never  know  what  information,  if  any,  is  stored  electronically.  Even  if 
patients  are  able  to  determine  what  information  is  maintained  electronically,  they 
wiU  likely  fear  that  some  portion  is  in  paper  format.  Without  privacy  protection  for 
aU  health  information,  persons  with  disabiUties  mav  not  disclose  their  health  condi- 
tion. The  only  way  to  ensure  patient  confidence  in  the  health  care  system  is  to  make 
the  proposed  rule  applicable  to  aU  information. 

VI.  CONCLUSION 

We  beUeve  that  the  proposed  rule  provides  an  important  foundation  to  protect  pa- 
tient privacy  and  maintain  quaUty  health  care.  We  commend  the  Secretary  for  not 
preempting  more  protective  state  laws,  acknowledging  that  sensitive  information 
needs  special  protection,  constructing  business  partner  rules  and  permitting  individ- 
uals to  inspect  and  copy  their  health  information.  We  encourage  Congress  to  enact 
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legislation  to  build  upon  these  important  regulations  and  to  fill  gaps  left  by  HIPAA. 
We  do  not  believe  that  an  additional  review  of  comments  prior  to  the  final  rule  by 
GAO  is  appropriate.  We  have  been  informed  that  the  Secretary  received  over  50,000 
comments  of  which  a  significant  maiority  were  from  consumers  who  are  interested 
in  a  final  rule.  The  Secretary  should  be  given  an  opportunity  to  fUlly  evaluate  and 
issue  a  final  rule  prior  to  any  review  by  GAO.  We  encourage  Congress  to  facihtate 
this  process  rather  than  assume  the  Secretary  has  acted  improperly. 

Prepared  Statement  of  William  C.  McGinly 

The  Association  for  Healthcare  Philanthropy  (AHP)  is  pleased  to  present  its  com- 
ments for  the  written  record  on  the  Department  of  Health  and  Human  Services'  pro- 
posed rules  concerning  the  standards  for  privacy  of  individually  identifiable  health 
information. 

SUMMARY  AND  INTRODUCTION 

Established  in  1967,  the  Association  for  Healthcare  Philanthropy  (AHP)  is  a  not- 
for-profit  organization  whose  2,900  members  manage  philanthropic  programs  in 
1,700  of  the  nation's  3,400  not-for-profit  health  care  providers.  As  AHP's  president 
and  chief  executive  officer,  I  can  tell  you  that  an  estimated  75%  to  80%  of  the  U.S. 
population  resides  in  the  areas  served  by  these  providers,  which  include  community 
hospitals  and  medical  centers  (59%),  multihospital  systems  (14%),  specialty  institu- 
tions (8%),  academic  institutions  (5%),  long-term  care  facilities  (5%),  and  other  not- 
for-profit  facilities  (9%). 

AHP's  members  raised  more  than  $5.7  billion  in  FY 1998-$  1.92  billion  more  than 
was  raised  by  all  of  United  Way  of  America  during  the  same  time  period. 

Funds  raised  by  AHPs  members  directly  support  health  care  programs  and  serv- 
ices that  are  unfunded  or  underfunded  by  other  so\u*ces.  These  include:  programs 
to  promote  healthy  behaviors;  a  vast  array  of  community  wellness  programs,  from 
mobile  health  vans  to  mammography  screenings  and  hearing  and  eye  exams;  and 
much  needed  facility  improvements  and  essential  equipment  upgrades. 

Such  programs  are  central  to  the  not-for-profit  mission  of  AHP  members'  institu- 
tions and  organizations.  They  are  an  integral  part  of  their  business.  For  such  pro- 
grams to  continue,  AHP's  members  must  have  access  to  their  health  care  provider's 
database.  The  reason:  More  than  60%  of  funds  raised  each  year  come  from  individ- 
uals-most of  whom  are  grateful  patients. 

In  approaching  prospective  patient  donors,  AHP  members  are  sworn  to  respect 
the  confidentiality  of  patient  information  through  the  AHP  Statement  of  Profes- 
sional Standards  and  Conduct  and  its  companion  Bill  of  Donor  Rights.  Further, 
AHP  members  are  committed  to  upholding  the  spirit  and  intent  of  state  and  federal 
laws  governing  use  of  patient  information.  The  way  in  which  AHP  members'  institu- 
tions and  organizations  handle  confidential  information  might  be  likened  to  how  col- 
leges handle  student  records.  That  is,  academic  records  are  not  released  without  au- 
thorization, even  to  tuition-paying  parents,  yet  demographic  data  routinely  is  given 
to  the  alumni  office  for  fund-raising  efforts  that  ensure  the  support  of  the  college's 
long-range  educational  mission. 

MiP  respectfully  requests  that  the  proposed  regulations  be  amended  so  that  they 
neither  block  nor  reduce  our  members'  ability  to  raise  funds  for  not-for-profit  public 
health  care  programs. 

More  specific  comments  and  related  amendatory  language  follow. 

Background:  Need  for  Privacy  Standards 

AHP  fully  supports  the  development  of  standards  that  protect  the  confidentiality 
of  individually  identifiable  health  information.  However,  ^ose  standards  should  be 
moderated  so  that  they  also  protect  the  pubUc  health  care  benefits  generated  by 
philanthropic  gifts  to  not-for-profit  providers. 

This  balance  of  private  need  and  public  good  is  the  essence  of  an  underlying  tenet 
of  a  democratic  society,  and  it  is  one  that  AHP  believes  should  be  written  into  these 
regulations. 

Statutory  Background 

AHP  contends  that  the  regulations  as  proposed  would  not  meet  the  statutory  re- 
quirements for  the  privacy  standards,  which  require  that  any  privacy  standard 
adopted  to  implement  the  Health  Insurance  Portability  and  Accountabihty  Act  of 
1996  (HIPAA)  "shall  be  consistent  with  the  objective  of  reducing  the  admimstrative 
costs  of  providing  and  paying  for  health  care." 

By  restricting  AHP  members'  access  to  patient  databases,  the  proposed  regula- 
tions threaten  to  destroy  a  major  funding  source  for  public  health  care,  that  is, 
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grateful  patients.  More  than  60%  of  all  philanthropic  gifts  to  not-for-profit  health 
care  providers  come  fi*om  individuals,  most  of  whom  are  grateful  patients.  If  access 
to  grateful  patients  had  been  restricted  in  FY 1998,  when  AHP  members  raised  more 
than  $5.7  billion  for  pubhc  health  care  programs,  those  programs  might  have  lost 
as  much  as  $3.42  billion. 
Thus,  the  proposed  regulations  include  a  substantial  hidden  cost. 

Consultations 

AHP  appreciates  the  opportunity  to  increase  awareness  of  health  care  philan- 
thropy and  its  role  in  paying  for  health  care,  and  to  propose  alternate  language  in 
a  number  of  sections  in  the  proposed  regulations. 

Summary  and  Purpose  of  the  Proposed  Rule 

AHP  supports  the  Secretary's  recommendation  for  comprehensive  rules  that 
would,  among  other  goals,  "(a)Uow  for  the  smooth  flow  of  identifiable  health  infor- 
mation for  treatment,  payment,  and  related  operations,  and  for  specified  additional 
purposes  related  to  health  care  that  are  in  the  pubhc  interest." 

AHP  proposes  that  the  final  regulations  can  only  meet  this  goal  if  they  specify 
that  not-for-profit  health  care  providers'  fund-raising  programs  are  operated  in  the 
pubUc's  interest  as  an  integral  part  of  the  providers'  business  operations;  therefore, 
these  programs  should  be  incluaed  in  the  smooth  flow  of  identifiable  health  informa- 
tion. 

Specifically,  in  Paragraph  5,  AHP  would  have  the  fund-raising  activities  of  not- 
for-profit  health  care  providers  included  under  'liealth  care  operations"  that  do  not 
require  individual  authorization. 

Applicability 

AHP  endorses  the  appUcability  of  the  privacy  standards  to  the  entities  that  in- 
clude the  health  care  providers  that  employ  AHP  members,  but  again  urges  the  Sec- 
retary to  make  philanthropy  programs  a  permissible  use  of  individually  identifiable 
health  information,  without  authorization,  as  part  of  a  provider's  'liealth  care  oper- 
ations." 

Definitions 

Health  information:  AHP  generally  supports  the  definition  of  "health  information" 
and  the  apphcability  of  the  privacy  standards  to  health  information.  However,  a 
minimum  amoimt  of  health  information  is  often  helpful  to  the  professional  develop- 
ment officer-if  only  to  exclude  certain  constituent  groups  from  messages  likely  to  be 
deemed  offensive.  For  instance,  the  following  tenets  usually  guide  AHP  members 
when  they  handle  sensitive  health  information: 

"Donor  acquisition"  maihngs  that  go  to  former  patients  or  their  famihes  simply 
do  not  refer  to  patients'  recent  hospitalizations  or  their  illnesses. 

In  cases  where  a  patient  has  freely  shared  personal  information  regarding  medical 
conditions,  or  has  expressed  an  interest  or  made  previous  donations  to  a  specified 

Erogram  or  department,  segmented  appeals  for  related  medical  causes  may  occur, 
ut  these,  too,  do  not  expressly  refer  to  patients'  illnesses. 

Patients  hospitalized  or  treated  for  psychiatric  and  substance  abuse  treatment  are 
routinely  omitted  from  donor  acquisition  approaches  because  of  the  heightened  sen- 
sitivity commonly  associated  with  these  diagnostic  groups.  Also  excluded  are  all  mi- 
nors. 

In  general,  philanthropy  programs  give  careful  thought  to  the  audience  and  mes- 
sage of  all  fiind-raising  appeals,  and  where  appropriate  eliminate  any  constituent 
groups  and/or  messages  deemed  likely  to  be  offensive  to  recipients. 

Business  partner:  AHP  supports  the  definition  of  "business  partner,"  but  would 
like  to  establish  an  imderstanding  about  how  the  definition  relates  to  the  ways  that 
health  care  philanthropy  programs  are  structiu*ed. 

Nearly  70%  of  AHP  members  work  not  for  the  health  care  provider  but  for  sepa- 
rately incorporated  foundations,  which  are  recognized  as  charitable  entities  under 
501(c)(3)  of  the  federal  tax  code.  It  is  imperative  that  the  proposed  privacy  stand- 
ards not  inadvertently  close  the  door  to  charitable  gifts  that  support  public  health 
programs-and  provide  donors  with  a  valued  income  tax  deduction. 

About  25%  of  AHP  members  work  for  stand-alone  departments  within  the  health 
care  provider  institution. 

The  other  5%  work  in  offices  with  some  other  structure.  Whether  the  privacy 
standards  apply  to  these  various  structures  as  "covered  entities"  or  "business  part- 
ners," it  is  critical  that  the  standards  not  limit  the  effectiveness  of  health  care  phi- 
lanthropy programs  to  raise  money  from  the  people  most  likely  to  give,  that  is, 
grateful  patients. 
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Individually  identifiable  health  information:  A  minimum  of  patient  demographic 
information  is  essential  so  that  health  care  philanthropy  programs  can  carry  out 
their  not-for-profit  mission.  Age  is  needed  to  exclude  minors  fi-om  appeals. 

Introduction  to  General  Rules 

The  health  care  philanthropy  programs  managed  by  AHP  members  would  not  ap- 
pear in  conflict  with  this  broadly  stated  intent,  if  "health  care"  is  broadly  construed 
to  include  public  health. 

Use  and  Disclosure  for  Treatment,  Payment,  and  Health  Care  Operations 

AHP  supports  the  uses  and  disclosures  permitted  without  authorization  in  this 
section,  but  adamantly  opposes  the  exclusion  of  certain  activities  from  the  definition 
of  "health  care  operations."  The  very  ability  of  not-for-profit  health  care  providers 
to  fiilfill  their  altruistic  mission  is  threatened  by  the  proposed  requirement  that  ad- 
vance authorization  is  necessary  for  the  following  activities:  marketing  of 
health  .  .  .  services;  marketing  by  a  non-health  related  division  of  the  same  cor- 
poration; and  fiind  raising. 

With  buy-outs  by  for-profit  health  care  providers  threatening  the  existence  of  not- 
for-profits,  marketing  is  critical  to  the  fiiture  viability  of  these  altruistic  providers. 
Much  of  what  is  marketed  by  AHP  members-from  departments  or  divisions  within 
a  provider's  corporation  or  fi-om  its  related  foundation  (see  "definitions"  above)-has 
tremendous  benefit  for  community  health.  Wellness  programs,  mammography 
screening,  ear  and  eye  exams,  etc.,  are  marketed  by  AHP  members.  Many  of  these 
programs  are  fiinded  by  the  philanthropic  programs  that  AHP  members  manage. 

One  only  need  look  at  the  hospital  wings  donated  by  gratefiil  patients,  or  the 
donor  recognition  plaques  that  line  hospital  corridors,  to  realize  that  patients  are 
grateful  for  hospital  services  and  do  not  mind  showing  their  appreciation  with  tan- 
gible gifts.  AHP  contends  that  these  gifis  are  willingly  made  because  they  are  asked 
for  after  services  have  been  received.  To  ask  for  them  in  advance-which  would  be 
the  effect  of  the  proposed  privacy  standards-would  easily  alienate  the  largest  pros- 
pect pool  for  philanthropic  gifts  to  not-for-profit  health  care  providers. 

Finally,  the  kind  of  marketing  carried  out  by  AHP  members  is  not  the  kind  of 
marketing  of  commercial  products  that  seems  to  be  the  real  target  of  this  regula- 
tion's restriction.  It  is  important  that  the  final  version  of  the  privacy  standards  dis- 
tinguish between  for-profit  and  not-for-profit  ventures. 

In  short,  AHP  would  strike  these  activities  from  the  list  of  activities  that  require 
prior  authorization:  marketing  of  health  .  .  .  services;  marketing  by  a  non-health 
related  division  of  the  same  corporation;  and  fiind  raising. 

Further,  AHP  would  expressly  permit  not-for-profit  health  care  providers  and 
their  business  partners  to  use  and  disclose  protected  information  without  authoriza- 
tion for  the  following  activities  that  are  central  to  their  altruistic  mission:  marketing 
programs  that  promote  tlie  health  of  the  community;  and  raising  fiinds  that  support 
charitable,  educational,  or  research  purposes  and  capital  improvements. 

Minimum  Necessary  Use  and  Disclosure 

AHP  members  already  adhere  to  the  practice  of  minimal  use  and  disclosure.  On 
becoming  members,  they  pledge  to  uphold  the  AHP  Statement  of  Professional 
Standards  and  Conduct,  which  requires  that  an  individual's  right  to  privacy  be  re- 
spected and  that  information  gained  in  the  pursuit  of  professional  duties  remain 
confidential.  A  copy  of  the  AHP  Standards  is  enclosed. 

To  manage  effective  philanthropic  programs,  AHP  members  minimally  need  the 
names  of  patients  and  relatives,  their  addresses  and  telephone  numbers,  and  their 
age  (to  eliminate  minors).  A  minim\im  of  health  information  is  helpftil  (to  eliminate 
patients  with  sensitive  diagnoses). 
Right  to  Restrict  Uses  and  Disclosures 

AHP  members  already  restrict  use  and  disclosure  of  information  gained  in  pursuit 
of  their  professional  duties,  as  part  of  the  AHP  Statement  of  Professional  Standards 
and  Conduct. 

Creation  of  De-Identified  Information 

AHP  supports  the  use  of  protected  health  information  for  statistical  and  analytical 
reports.  In  fact,  AHP  annually  conducts  its  Survey  on  Giving,  through  which  mem- 
bers share  information  about  health  care  philanthropy.  AHP  is  the  only  source  of 
this  data  in  the  country,  which  each  year  is  given  to  the  American  Association  for 
Fund  Raising  Counsel  for  its  comprehensive  report.  Giving  USA. 
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Application  to  Business  Partners 

The  philanthropy  efforts  of  AHP  members  are  structured  in  several  ways-as  foun- 
dations, as  stand-alone  departments  or  divisions,  or  in  other  ways.  However  efforts 
are  structured,  whether  they  are  construed  as  "covered  entities  or  "business  part- 
ners," it  is  paramount  that  these  regulations  permit  access  to  protected  data  with- 
out authorization. 

Application  to  Information  About  Deceased  Persons 

AHP  supports  this  regulation's  intent  to  be  sensitive  to  the  families  of  the  de- 
ceased. However,  AHP  respectfully  suggests  that  providing  its  members  witii  pro- 
tected information  is  more  likely  to  achieve  this  goal  than  the  converse.  After  all, 
AHP  members  cannot  exclude  families  of  the  deceased  from  general  appeals  for  phil- 
anthropic gifts  if  the  fact  of  death  is  not  known. 

Furthermore,  when  friends  or  family  of  the  deceased  wish  to  make  a  memorial 

fift,  AHP  members  must  have  the  minimimi  demographic  information  to  accommo- 
ate  this  wish. 

Adherence  to  the  Notice  of  Information  Practices 

AHP  supports  the  intent  of  this  section,  which  requires  that  information  uses  and 
disclosures  reflect  the  actual  notice  of  such  use  and  disclosure.  Again,  however,  AHP 
urges  that  the  philanthropic  programs  managed  by  its  members  be  included  under 
"health  operations"  that  do  not  require  advance  authorization  for  what  is  a  central 
component  of  the  mission  and  business  of  not-for-profit  providers. 

Uses  and  Disclosures  with  Individual  Authorization 

This  section  contains  one  phrase  that  reveals  the  intent  of  its  authors:  commercial 
gain.  AHP  could  not  agree  more  that  individuals  have  the  right  to  refiise  the  release 
of  protected  information  that  will  result  in  commercial  gain  to  the  requesting  entity. 
No  commercial  gain  is  possible  for  not-for-profit  health  care  providers,  and  privacy 
standards  must  distinguish  between  for-profit  and  not-for-profit  entities. 

The  philanthropic  programs  of  AHP  members  should  be  considered  an  integral 
part  of  the  provider's  "health  operations"  and  thus  be  exempt  fi*om  individual  au- 
thorization. That  is  the  current  practice,  and  AHP  can  attest  to  the  fact  that  its 
members  hear  only  rare  concerns  which  are  quickly  resolved  after  they  explain  the 
health  services,  research,  and  educational  programs  that  are  supported  by  philan- 
thropy. 

Aside  fi-om  the  inappropriateness  of  applying  this  standard  to  not-for-profit  health 
care  providers,  the  proposed  authorization  form  is  onerous  and  counterproductive. 
Picture  a  patient  in  serious  condition,  being  admitted  to  a  hospital,  being  handed 
all  the  usual  forms  and  one  asking  for  permission  to  solicit  contributions  at  a  later 
date.  A  hospital  with  a  form  Uke  tihis  would  be  showing  very  little  sensitivity  to  the 
patient  and  would  likely  receive  no  gift  at  a  later  date,  even  if  the  patient  were 
grateful  for  the  medical  treatment  received. 

Introduction  to  Rights  of  Individuals 

AHP  supports  the  rights  of  individuals  as  delineated  in  the  proposed  regulations 
and  assures  the  Secretary  that  its  members  swear  to  respect  those  rights  through 
the  AHP  Statement  of  Professional  Standards  and  Conduct. 

Rights  and  Procedures  for  a  Written  Notice  of  Information  Practices 

AHP  believes  that  the  health  services,  research,  and  educational  programs  sup- 
ported by  the  philanthropy  programs  of  not-for-profit  health  care  providers  are  an 
integral  part  of  "health  operations"  and  should  be  treated  as  such  in  this  and  other 
sections  of  the  final  regulations. 

Rights  and  Procedures  for  Access  for  Inspection  and  Copying 

AHP  believes  that  the  health  services,  research,  and  educational  programs  sup- 
ported by  the  philanthropy  programs  of  not-for-profit  health  care  providers  are  an 
integral  part  of  "health  operations"  and  should  be  treated  as  such  in  this  and  other 
sections  of  the  final  regulations. 

All  of  AHFs  comments  are  offered  with  the  sincere  appeal  that  the  new  regula- 
tions should  be  structured  so  as  to  take  into  account  the  professional  ethical  stand- 
ards already  in  place.  These  regulations  must  allow  for  the  continued  work  of  hos- 
pitals and  health-related  foundations  in  philanthropic  programs  that  benefit  individ- 
uals and  communities  .  .  .  benefits  which,  if  lost,  would  be  severely  detrimental  to 
the  quality  of  life.  AHP  looks  forward  to  working  with  the  Department  in  order  to 
preserve  the  charitable  fund-raising  activities  of  not-for-profit  health  providers  while 
respecting  an  individual's  appropriately  limited  individually  identifiable  health  in- 
formation. 
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We  appreciate  the  opportunity  to  comment  on  the  proposed  standards.  More  im- 
portantly, we  look  forward  to  actively  assisting  the  Department  in  developing  pro- 
tective patient  medical  record  regulations  while  safeguarding  our  non-profit  provid- 
ers' obligation  to  meet  their  charitable  purposes  and  nilly  serve  their  patients. 

National  Association  of  Insurance  Commissioners, 

Washington,  DC  20001-1512, 

February  15,  2000. 

Margaret  Ann  Hamburg, 

U.S.  Department  of  Health  and  Human  Services, 
Washington,  DC  20201. 

Dear  Assistant  Secretary  Hamburg:  On  behalf  of  the  National  Association  of 
Insurance  Commissioners  (NAIC)  Health  Insurance  Task  Force,  I  hereby  submit 
these  comments  on  the  proposed  rules  entitled,  "Standards  for  Privacy  of  Individ- 
ually Identifiable  Health  Inlormation,"  published  in  the  Federal  Register  on  Novem- 
ber 3,  1999  (64  Fed.  Reg.  59918-60065). 

The  NAIC  appreciates  the  Department  of  Health  and  Human  Services'  (HHS)  ef- 
forts to  establish  standards  to  protect  the  privacy  of  individually  identifiable  health 
information  maintained  or  transmitted  in  connection  with  certain  administrative 
and  financial  transactions  and  to  provide  a  basic  level  of  protection  to  consumers. 
We  too  understand  the  necessity  of  protecting  individuals'  health  information,  and 
as  such,  we  have  adopted  stand-alone  model  privacy  legislation  and  have  incor- 
porated privacy  protections  in  other  health-related  models.  In  general,  we  appreciate 
the  flexibility  afforded  the  states  in  the  HHS  proposed  regulation- 
Drafting  standards  that  protect  the  privacy  rights  of  individuals  with  respect  to 
highly  personal  health  information  is  a  difficult  task.  Like  you,  the  members  of  the 
NAIC  sought  tc  write  standards  that  would  not  cripple  the  flow  of  useful  informa- 
tion, that  would  not  impose  prohibitive  costs  on  entities  affected  by  the  legislation, 
and  that  would  not  prove  impossible  to  implement  in  a  world  that  is  rapidly  chang- 
ing fi*om  paper  to  electronic  records.  At  the  same  time,  the  members  of  the  NAIC 
recognized  the  need  to  assure  consiuners  that  their  health  information  is  used  only 
for  the  legitimate  purposes  for  which  it  was  obtained,  and  that  this  information  is 
not  disclosed  without  the  consumer's  consent  or  knowledge  for  purposes  that  are 
likelv  to  harm  or  offend  the  individual. 

While  there  are  many  similarities  between  the  NAIC  Health  Information  Privacy 
Model  Act  and  the  proposed  regulation,  the  members  of  the  NAIC  have  serious  con- 
cerns about  the  proposed  regulation's  impact  on  the  ability  of  state  insurance  de- 
partments to  perform  their  jobs  and  handle  their  responsibilities,  which  include  pro- 
tecting consumers  and  eliminating  fii^ud. 

I.  NAIC  MODEL  IN  RELATION  TO  THE  PROPOSED  REGULATION 
A  Background 

The  NAIC  adopted  its  "Health  Information  Privacy  Model  Act"  ("NAIC  Model 
Act")  in  September  1998.  This  model  has  a  more  narrow  focus  than  the  NAIC's  "In- 
siirance  Information  and  Privacy  Protection  Model  Act,"  which  was  adopted  in  1980. 
The  model  act  adopted  in  1980  addresses  the  privacy  of  all  individually  identifiable 
information,  whereas  the  NAIC  Model  Act  adopted  in  1998  establishes  protections 
for  all  health  information  and  for  protected  health  information.  The  NAIC  Model  Act 
was  developed  with  state  regulators,  representatives  of  the  insurance  and  managed 
care  industries,  and  representatives  fi-om  the  provider  and  consumer  communities. 
Our  model  was  developed  to  assist  the  states  in  drafting  uniform  standards  for  en- 
suring the  privacy  of  health  information. 

B.  Similarities 

The  HHS  proposed  privacy  regulation  addresses  many  of  the  same  issues  as  the 
NAIC  Model  Act.  Both  the  NAIC  Model  Act  and  the  proposed  regulation  establish 
procedures  for  the  treatment  of  all  health  information  and  additional  specific  rules 
for  protected  health  information.  They  are  similar  in  their  basic  structures  and  the 
rights  conveyed  to  individuals  regarding  their  health  information. 

In  terms  of  structure,  the  NAIC  Model  Act  and  the  regulation  prohibit  entities 
fi-om  using  or  disclosing  health  information  except  as  authorized  by  the  patient  or 
as  specifically  permitted  by  the  Act  or  regulation.  (HHS  Proposed  Regulation 
§  164.506(a);  NAIC  Model  Act  §10A).  When  protected  health  information  is  used  or 
disclosed,  both  limit  the  amount  of  information  used  or  disclosed  to  that  amoiint 
which  is  necessary  for  the  stated  purpose.  (HHS  §  164.506(b)(1);  NAIC  §10).  They 
both  estabhsh  exceptions  to  the  authorization  requirement,  and  many  of  the  excep- 
tions to  the  authorization  requirement  in  the  NAIC  Model  Act  faU  under  what  the 
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HHS  proposed  regulation  defines  as  treatment,  payment  or  health  care  operations. 
(HHS  §164.510;  NAIC  §11).  The  NAIC  Model  Act  and  the  proposed  regulation  place 
administrative  requirements  on  their  applicable  entities  (HHS  §164.518,  164.520; 
NAIC  §5),  and  both  establish  civil  and  criminal  penalties  for  violations  (HHS 
§164.522;  NAIC  §15). 

In  terms  of  individuals*  rights  regarding  their  protected  health  information,  the 
NAIC  Model  Act  and  the  proposed  regulation  guarantee  similar  rights.  These  rights 
include:  (1)  the  right  to  inspect  and  copy  the  individual's  protected  health  informa- 
tion (HHS  §164.514;  NAIC  §7);  (2)  the  right  to  amend  and  correct  the  individual's 
protected  health  information  (HHS  §164.516;  NAIC  §8);  (3)  the  right  to  receive  no- 
tice of  an  entity's  privacy  practices  (HHS  §164.512;  NAIC  §6);  (4)  the  right  to  receive 
an  accounting  of  everyone  to  whom  protected  health  information  was  disclosed 
(HHS  §164.515;  NAIC  §9);  and  (5)  the  right  to  revoke  authorization  to  use  or  dis- 
close protected  health  information  (HHS  §  164.508(e);  NAIC  §10). 

C.  Differences 

Even  though  the  NAIC  Model  Act  and  the  proposed  regulation  have  quite  a  few 
similarities,  there  are  significant  differences  that  concern  the  state  insurance  de- 
partments and  the  NAIC.  As  we  witnessed  in  the  legislative  proposals  offered  by 
Congress,  the  smallest  details  can  have  a  huge  impact  on  how  the  privacy  standards 
effect  consumers  and  the  states.  Key  differences  are  in  scope  and  in  the  appUcable 
entities  impacted  by  the  regulation. 

HHS  has  expressed  concern  that  because  of  its  limited  jurisdiction,  tJie  proposed 
regulation  only  applies  to  electronic  health  information  and  only  applies  to  certain 
entities  (64  Fed.  Keg.  59923).  We  too  are  concerned  about  the  limited  reach  of  the 
proposed  regulation. 

1.  Scope  ("Summary  and  Purpose") 

Both  the  NAIC  Model  Act  and  the  proposed  regulation  estabUsh  standards  to  pro- 
tect the  privacy  of  protected  health  information.  However,  the  proposed  regulation 
defines  protected  health  information  to  include  only  individually  identifiable  health 
information  that  is  or  has  been  transmitted  electronically  (HHS  §164.504).  The  reg- 
ulation does  not  cover  paper  records.  On  the  other  hand,  the  NAIC  Model  Act  does 
not  distinguish  between  health  information  in  paper  format  and  health  information 
that  is  electronically  transmitted  and  maintained.  The  NAIC  Model  Act  protects  all 
forms  of  individually  identifiable  health  information,  both  paper  and  electronic.  We 
believe  the  NAIC  Model  Act's  broader  scope  serves  to  better  protect  individuals' 
health  information.  (NAIC  §4). 

HHS  requested  comment  on  whether  it  has  the  authority  to  extend  protections  to 
paper  as  well  as  electronic  information,  although  to  this  point,  HHS  has  limited  its 
regulations  to  electronic  information.  (64  Fed.  Reg.  59927).  We  suggest  that  since 
HHS  believes  it  has  the  authority  imder  HIPAA  to  extend  these  regidatory  require- 
ments to  paper  and  electronic  records,  it  should  do  so.  Rather  than  wait  to  publish 
proposed  rules  that  will  govern  paper  records  in  the  near  future,  we  suggest  that 
HHS  address  paper  records  in  thus  current  proposed  regulation.  The  protections  es- 
tabhshed  in  the  proposed  regulation  should  extend  to  both  paper  and  electronic  in- 
formation. 

2.  Applicable  Entities  ("Applicability") 

One  of  the  most  obvious  differences  between  the  NAIC  Model  Act  and  the  pro- 
posed regulation  is  in  the  scope  of  the  entities  to  which  the  respective  proposals 
would  apply.  The  NAIC  Model  Act  only  appUes  to  insurance  carriers.  The  proposed 
regulation  is  broader  and  applies  to  health  plans,  health  care  clearinghouses,  and 
health  care  providers  who  transmit  health  information  electronically.  (HHS 
§160.102).  These  entities  are  referred  to  in  the  proposed  regulation  as  "covered  enti- 
ties." (HHS  §160.103). 

Although  the  proposed  regulation  generally  applies  to  a  broader  range  of  entities 
than  the  NAIC  Model  Act,  we  are  concerned  that  "health  plan"  is  defined  in  the  pro- 
posed regulation  to  exclude  certain  insurers.  The  proposed  regulation  clarifies  the 
definition  of  "health  plan"  established  under  HIPAA  to  include  a  health  insurance 
issuer,  a  health  maintenance  organization,  a  Medicare  supplement  poUcy,  and  a 
long  term  care  poUcy.  (HHS  §160.103)  As  such,  the  proposed  regulation  would  not 
apply  to  certain  types  of  insurance  entities,  even  if  they  provide  coverage  for  health 
care  services  or  use  information  found  in  an  individual's  medical  record  (i.e.,  life  in- 
surers, workers'  compensation  insurers,  automobile  insurers,  other  property-cas- 
ualty insurers,  and  insurers  offering  certain  limited  benefits)  (64  Fed.  Reg.  59923, 
59932).  The  NAIC  Model  Act  applies  to  all  insiu-ers,  regardless  of  the  products  that 
they  sell. 
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While  we  recognize  the  limited  jurisdiction  of  HHS  under  HIPAA  with  respect  to 
insurers,  we  recommend  the  approach  of  the  NAIC  Model  Act,  which  applies  to  all 
insurance  carriers  and  is  not  limited  to  health  insurers.  (NAIC  §4).  The  NAIC  had 
an  extensive  public  discussion  about  whether  the  NAIC  Model  Act  should  apply  only 
to  health  insurance  carriers,  or  instead,  to  all  carriers.  Health  insiu-ance  carriers  are 
not  the  only  types  of  carriers  that  use  health  information  to  transact  their  business. 
Health  information  is  often  essential  to  Ufe  insurers  in  issuing  policies  and  to  prop- 
erty and  casualty  insurers  in  settling  workers'  compensation  claims  and  automobile 
claims  involving  personal  injury,  for  example.  Reinsurers  also  use  protected  health 
information  to  write  reinsiu*ance.  The  NAIC  concluded  that  it  was  Ulogical  to  apply 
one  set  of  rules  to  health  insurance  carriers  but  different  rules,  or  no  niles,  to  other 
carriers  that  were  using  the  same  type  of  information.  Consimiers  deserve  the  same 
protection  with  respect  to  their  health  information,  regardless  of  the  entity  using 
it.  Nor  is  it  equitable  to  subject  health  ins\irance  earners  to  more  stringent  rules 
than  those  appUed  to  other  insurers.  Our  model  applies  to  all  insiu-ance  carriers  and 
establishes  uniform  rules  to  the  greatest  extent  possible.  The  NAIC  supports  privacy 
protections  that  apply  to  individually  identifiable  health  information  wherever  it  re- 
sides. 

II.  COMMENTS  ON  PREEMPTION  ("RELATIONSHIP  TO  STATE  LAWS") 

A  General  Comments  on  Preemption 

Preemption  of  state  law  is  a  key  issue  for  the  states  and  the  NAIC  membership. 
As  we  stated  in  our  May  4,  1999  letter  to  Congress  and  in  Congressional  testimony, 
the  federal  government  must  recognize  the  impact  of  any  privacy  le^slation  or  regu- 
lations on  existing  state  laws.  States  have  enacted  many  laws  designed  to  protect 
an  individual's  health  information  in  a  variety  of  areas.  These  state  protections  ap- 
pear in  many  locations  within  a  state's  statutes  and  regulations,  and  many  times 
address  programs  or  uses  of  health-related  information  that  are  unique  to  a  particu- 
lar state.  In  addition,  states  have  carefully  considered  when  to  allow  use  and  disclo- 
sure of  health  information  without  authorization,  such  as  in  cases  of  investigations 
and  audits  of  health  insurers  by  state  insurance  departments.  States  have  enacted 
legislation  and  regulations  after  balancing  the  individual's  right  to  keep  health  in- 
formation confidential  against  the  legitimate  purposes  for  disclosiu'e. 

While  we  oppose  the  preemption  of  state  law,  we  understand  the  desire  to  estab- 
Ush  a  minimum  standard  in  this  area  due  to  several  factors.  First,  the  transmission 
of  health  information,  as  opposed  to  the  dehvery  of  health  care  services,  is  not  al- 
ways a  local  activity.  Health  information  is  transmitted  across  state  and  national 
boundaries.  Second,  while  the  NAIC  has  developed  model  legislation  for  the  states 
to  enact  to  protect  individuals'  health  information  that  is  collected,  used  and  dis- 
closed by  insurance  carriers,  the  reality  is  that  our  jiuisdiction  is  limited  to  insur- 
ance. Because  health  information  privacy  encompasses  more  issues  than  insurance 
and  more  entities  than  insurers,  we  understand  the  desire  for  broader  regulations. 
As  a  res\ilt,  the  members  of  the  NAIC  have  concluded  that  the  privacy  of  health 
information  is  an  area  where  it  may  be  appropriate  for  the  federal  government  to 
set  a  minimum  standard. 

However,  it  should  be  noted  that  up  until  this  point  there  has  been  no  federal 
standard  in  place.  Rather,  states  have  been  the  protector  of  consumers  in  this  area. 
Any  federal  action  must  recognize  this  fact  and  make  allowances  for  it.  The  NAIC 
supports  establishing  a  minimimi  federal  level  of  protection  for  health  information, 
as  long  as  stronger  state  laws  are  preserved.  We  do  not  want  to  see  health  informa- 
tion that  currently  enjoys  a  high  level  of  protection  under  state  law  end  up  with 
less  protection  under  the  proposed  regulation. 

For  these  reasons,  we  appreciate  HHS'  intent  to  create  minimtmi  standards,  to 
preserve  stronger  state  laws,  and  to  protect  certain  state  laws  from  any  preemption. 
However,  it  is  critical  that  the  proposed  regulation  not  undermine  the  progress  of 
the  states  in  implementing  legislation  that  protects  health  information  privacy  and 
not  iindermine  states'  abilities  to  regulate  entities  over  which  they  have  jurisdiction. 
It  is  also  critical  that  the  proposed  regulation,  in  its  attempt  to  preserve  state  pri- 
vacy laws,  not  make  the  process  for  states  to  enforce  their  laws  so  burdensome  that 
the  process  only  works  in  theory  and  not  in  reality. 
B.  Preemption  Standard  in  the  Proposed  Regulation 

In  the  Health  Insurance  Portability  and  AccountabiUty  Act  of  1996  (HIPAA),  Con- 
gress directed  HHS  to  implement  privacy  regulations  if  Congress  failed  to  meet  the 
statutory  August  21,  1999  deadline  to  enact  legislation.  Congress  also  directed  HHS 
to  implement  regulations  that  would  not  supercede  a  contrary  provision  of  state  law 
if  the  state  law  is  more  stringent  than  the  regulation  (HIPAA  Sec.  264).  While  we 
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appreciate  the  expressed  intent  of  HHS  in  the  preamble  to  preserve  stronger  state 
privacy  laws  and  to  protect  other  specific  state  privacy  laws  from  preemption  (64 
Fed.  Reg.  59994-59999),  we  have  concerns  about  the  language  and  structure  used 
in  the  proposed  regulation's  general  rule  and  the  three  categories  of  exceptions  to 
the  general  rule.  The  preemption  analvsis  used  in  the  regulation  is  confusing  and 
leaves  many  questions  unanswered.  Although  the  general  rule  and  the  exceptions 
were  estabushed  in  HIPAA  by  Congress,  not  by  HHS,  we  believe  HHS  needs  to 
make  some  clarifications  in  the  proposed  regulation  in  order  to  effectively  and  effi- 
ciently implement  these  standards. 

C.  The  Proposed  Regulation's  General  Rule  and  Exceptions  (HHS  §160.203,  160.204) 
1.  General  Rule 

The  NAIC  membership  has  serious  reservations  about  how  the  preemption  stand- 
ard used  in  the  proposed  regulation  is  to  be  implemented.  The  general  rule  estab- 
lished in  HIPAA  Section  262  and  used  in  the  current  proposed  regulation  states 
that  provisions  of  state  law  are  preempted  to  the  extent  that  they  are  contrary  to 
the  federal  statutory  and  regulatory  scheme.  "Contrarsr"  is  defined  in  the  proposed 
regulation  such  that:  (1)  complying  with  both  state  and  federal  requirements  would 
be  impossible;  or  (2)  obeying  state  law  prevents  the  accompUshment  and  execution 
of  the  fiill  purposes  and  objectives  of  the  regulation  (HHS  §160.202).  HHS  has  spe- 
cifically requested  comment  on  how  these  proposed  criteria  would  be  likely  to  oper- 
ate with  respect  to  particular  state  privacy  laws  (64  Fed.  Reg.  59997). 

While  we  recognize  that  HHS,  in  defining  contrary,  has  used  the  standards  devel- 
oped by  the  courts  for  conflict  preemption  (64  Fed.  Keg.  59997),  we  would  note  that 
in  the  past  we  have  found  similar  definitions  not  to  be  very  helpful  in  comparing 
state  laws  to  federal  requirements.  We  encounter  a  similar  difficulty  when  conduct- 
ing a  conflict  analysis  for  ERISA  preemption  using  the  "relates  to"  standard.  Using 
the  conflict  analysis,  a  state  must  examine  all  its  laws  relating  to  health  informa- 
tion privacy  to  determine  whether  or  not  its  laws  are  contrary  to  the  requirements 
in  the  proposed  regulation.  This  in  and  of  itself  is  a  major  project  for  states  to  un- 
dertake. Just  identifying  all  of  the  laws,  let  alone  comparing  them  to  the  federal 
regulation,  is  time-consuming  and  confusing  for  states.  However,  in  response  to 
HHS'  request  for  comment,  we  offer  a  suggestion  to  help  the  operation  of  and  to 
ease  the  administrative  burden  of  implementing  this  standard. 

We  beheve  that  how  the  term  "provision"  is  defined  will  effect  the  practical  imple- 
mentation of  the  general  rule.  We  propose  that  the  states  be  given  the  greatest 
amount  of  flexibility  in  determining  what  the  necessary  scope  of  "provision"  is  when 
applying  the  general  rule's  contrary  standard.  HHS  has  recognized  that  states  know 
tineir  laws  best  and  are  best  informed  about  how  to  apply  their  laws.  (64  Fed.  Reg. 
59998).  The  NAIC  membership  believes  that  the  defimtion  should  preserve  to  the 
maximum  extent  possible  state  privacy  initiatives  that  extend  beyond  the  covered 


According  to  the  preamble,  when  applying  the  general  rule,  what  will  be  com- 
pared are  stete  and  federal  requirements  that  are  analogous,  i.e.,  that  address  the 
same  subject  matter.  If  there  is  a  state  provision  and  no  analogous  provision  in  fed- 
eral law,  there  is  nothing  to  compare  and  no  issue  of  a  contrary  requirement.  (64 
Fed.  Reg.  59995).  Consequently,  if  the  state  law  is  not  contrary,  the  stete  law 
stends.  If  the  stete  law  is  contrary,  the  stete  must  go  to  the  next  step  in  the  analy- 
sis to  see  if  a  contrary  stete  law  can  still  be  saved  from  preemption  by  qualifying 
as  one  (or  more)  of  the  three  categories  of  exemptions.  We  beUeve  these  are  impor- 
tent  stetemente  and  should  be  included  as  guidance  in  the  regulation  itself,  not  just 
in  the  preamble. 

2.  Exceptions  to  Preemption  of  Contrary  State  Laws 

The  exceptions  to  preemption  for  stete  laws  that  are  contrary  to  the  proposed  reg- 
ulation fall  into  three  categories:  (1)  those  stete  laws  that  require  a  determination 
by  the  Secretary  that  they  are  necessary  for  certain  purposes  as  set  out  in  HIPAA 
(HHS  §  160.203(a);  (2)  those  stete  laws  that  relate  to  the  privacy  of  individually 
identifiable  health  information  that  are  contrary  to  but  more  stringent  than  the  fed- 
eral requiremente  (HHS  §  160.203(b));  and  (3)  those  stete  laws  mat  are  explicitly 
carved  out  or  exempted  from  the  general  rule  of  preemption  (HHS  §160.203  (c),  (d)). 

These  exceptions  are  esteblished  in  the  HIPAA  stetute,  so  we  understend  that 
HHS  is  prevented  from  adding  or  deleting  any  exceptions  and  is  limited  in  how 
these  exceptions  are  used.  However,  we  have  comments  and  concerns  regarding 
each  category  of  exceptions.  Our  most  serious  concerns  Ue  with  the  exceptions  that 
require  a  determination  by  the  Secretery.  We  also  seek  clarification  regarding  how 
these  exceptions  work  on  a  practical  level  if  a  stete  law  falls  into  more  than  one 
category  of  exception. 
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a.  Exceptions  Requiring  a  Determination  by  the  Secretary  (Category  One) 

Under  this  exception,  a  state  may  continue  to  enforce  a  contrary  provision  of  state 
law  that  falls  into  one  of  five  categories,  but  only  after  obtaining  a  favorable  deter- 
mination from  the  Secretary  of  HHS.  As  set  forth  in  the  proposed  regulation,  if  a 
state  wants  to  continue  to  enforce  a  contrary  provision  of  state  law  that  falls  under 
one  of  the  listed  categories,  the  state  must  submit  a  written  request  with  detailed 
information  to  the  Secretary  seeking  an  exception  to  the  preemption.  Until  the  Sec- 
retary's determination  is  made,  the  federal  requirement  remains  in  effect.  The  Sec- 
retary will  deny  a  request  if  it  determines  that  the  federal  requirement  accom- 
plishes the  law's  purpose  as  well  as  or  better  than  the  state  law  for  which  the  re- 
quest is  made.  If  an  exception  is  granted,  it  is  effective  for  three  years  or  for  such 
lesser  time  as  is  specified  in  the  determination  granting  the  request.  (HHS 
§160.204(a)).  6  5^ 

We  believe  there  are  several  serious  flaws  with  this  proposed  process.  Our  pri- 
mary concern  is  that  the  determination  process  is  overly  burdensome  for  states.  Not 
only  do  states  have  to  conduct  a  "contrary  analysis"  for  all  of  their  laws  that  pi-otect 
health  information  and  then  submit  requests  for  exceptions  to  HHS,  but  they  also 
have  to  wait  for  HHS  to  make  a  determination  in  onier  for  the  states  to  enforce 
their  laws. 

We  are  very  concerned  about  the  provision  in  the  proposed  regulation  that  states 
that  the  federal  standard  applies  until  a  determination  is  made  (the  statute  is  silent 
on  this  issue)  (HHS  §160.204(aX2)).  This  provision  is  unacceptable  for  insurance  de- 
partments that  are  charged  with  protecting  the  citizens  of  the  state  and  enforcing 
state  laws  regulating  health  plans.  Cessation  of  state  regulation  in  the  interim  wiS 
essentially  leave  plans  unregulated  until  HHS  makes  a  determination.  The  NAIC 
membership  does  not  beUeve  that  the  states  should  be  hampered  in  their  legal  du- 
ties by  having  their  laws  preempted  until  they  can  prove  to  HHS  that  their  laws 
are  "necessary"  for  their  states.  States  have  passed  privacy  laws  after  careful  con- 
sideration and  debate,  and  they  should  not  have  to  ask  HHS  for  permission  to  en- 
force their  own  laws. 

We  offer  a  simple  solution  to  this  problem  that  would  work  within  the  confines 
of  HIPAA  and  HHS'  jurisdiction.  The  current  assumption  in  the  proposed  regulation 
that  the  federal  standard  applies  until  a  determination  is  made  shoxild  be  reversed. 
We  believe  there  is  enough  latitude  in  the  statute  (i.e.  the  statute  is  silent)  to  re- 
verse the  presumption,  so  that  a  state  law  stands  until  and  unless  HHS  has  deter- 
mined otherwise.  The  presumption  should  be  in  favor  of  the  state's  interpretation 
of  its  law.  This  reversal  is  necessary  to  avoid  a  regulatory  vacuum,  especially  con- 
sidering that  the  regulation  does  not  establish  a  time  frame  within  which  the  Sec- 
retary must  make  a  decision.  As  a  result,  we  beUeve  state  law  should  stand  while 
HHS  is  making  a  determination. 

On  a  related  note,  the  NAIC  membership  questions  whether  HHS  is  prepared  to 
conduct  determinations  for  all  50  states'  laws.  After  states  complete  their  "contrary 
analysis",  they  will  submit  their  state  laws  to  HHS  to  make  a  determination.  State 
privacy  laws  are  found  in  many  different  areas  of  a  state's  statutes  and  regulations, 
so  the  Secretary  may  receive  a  number  of  requests  per  state.  Without  an  increase 
in  funding  for  HHS  and  the  development  of  HHS'  infrastructure,  HHS  will  not  be 
able  to  handle  the  volume  of  preemption  determination  requests  from  the  states. 

Another  problem  with  the  proposed  regulation  is  the  lack  of  details  about  the  de- 
termination process.  The  proposed  regiuation  does  not  estabUsh  a  time  fi*ame  or 
deadline  by  which  HHS  has  to  issue  a  determination.  States  could  be  waiting  for 
years  or  indefinitely  to  find  out  whether  HHS  will  grant  an  exemption.  Such  indeci- 
sion could  have  a  dampening  effect  on  a  state's  abiUty  to  pass  further  legitimate 
legislation.  We  suggest  that  HHS  revise  its  regulation  to  include  a  time  period  by 
which  HHS  has  to  make  a  determination.  We  also  suggest  that  if  HHS  does  not 
make  a  determination  afler  a  specified  amount  of  time,  then  a  default  determination 
should  be  issued  in  favor  of  the  state. 

We  also  are  bothered  by  the  fact  that  even  if  states  are  granted  an  exemption 
fi^m  preemption  through  the  HHS  determination  process,  there  is  a  time  limit  on 
how  long  a  state  law  is  exempt  pursuant  to  this  determination  (HHS  §160.203(aX4). 
The  process  is  quite  burdensome  for  the  states,  so  we  question  the  provision  requir- 
ing states  to  ask  for  a  re-determination  on  the  same  laws  every  three  years  as  a 
waste  of  time  and  resources  for  the  states  and  for  HHS.  HHS  should  eliminate  the 
three-year  limit  on  how  long  the  exemption  is  effective. 

We  are  also  concerned  that  there  is  no  requirement  in  the  regulation  regarding 
giving  notice  to  the  states  and  others  that  HHS  has  made  a  determination,  other 
than  an  annual  publication  in  the  Federal  Register  of  all  determinations  made  by 
HHS.  (HHS  §160.203(aX8).  More  frequent  notices,  such  as  quarterly,  should  be 
made.  We  also  suggest  that  HHS  provide  more  details  in  the  proposed  regulation 
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about  the  factors  it  will  consider  in  its  determination  process  and  if  there  is  a  for- 
mula HHS  will  use  to  decide  whether  a  state  will  be  granted  an  exemption. 

b.  Exception  for  State  Laws  that  are  More  Stringent  than  the  Regulation  (Category 

Two) 

The  second  exception  allows  a  state  to  continue  to  enforce  a  contrary  provision 
of  state  law  that  relates  to  the  privacy  of  health  information  if  it  is  more  stringent 
than  a  standard,  requirement,  or  implementation  specification  adopted  under  the 
proposed  regulation.  More  stringent  is  broadly  defined  in  the  proposed  regulation 
as  providing  greater  privacy  protections  for  the  individual.  A  state  is  not  required 
to  obtain  a  determination  about  whether  a  provision  of  its  law  meets  this  exception. 
However,  the  Secretary  on  her  own,  or  at  the  request  of  a  state,  may  issue  an  advi- 
sory opinion  as  to  whether  a  provision  of  state  law  meets  this  exception.  (HHS 
§  160.204(b)). 

In  the  NAIC's  Congressional  testimony,  we  supported  the  establishment  of  mini- 
mum standards  in  the  area  of  health  information  privacy,  and  we  urged  Congress 
to  outUne  a  way  in  its  legislation  for  the  states  to  measure  their  laws  against  any 
federal  standard.  We  appreciate  that  HHS  has  chosen  to  estabUsh  minimum  federal 
standards  and  has  included  guideUnes  for  states  to  measure  their  laws  against  the 
proposed  regulation  (i.e.,  less  disclosure  to  others;  greater  right  of  access  to  health 
information  by  the  individual;  greater  penalties;  narrower  scope  of  authorization; 
longer  record-keeping  requirements  and  accoimting  requirements.).  States  need  to 
be  able  to  judge  whether  their  state  laws  are  stronger  than  any  federal  standard 
in  order  to  determine  whether  they  need  to  take  further  action  to  revise  their  laws. 
By  defining  "more  stringent"  in  the  proposed  regulation,  HHS  has  offered  several 
different  examples  of  what  quaUfies  as  more  stringent  as  guidance  to  the  states, 
with  the  overriding  principle  of  more  protection  to  the  individual  whose  information 
is  being  used  or  disclosed.  (HHS  §160.202). 

Additionally,  we  support  HHS'  decision  to  Umit  the  parties  who  may  request  advi- 
sory opinions  to  the  states  and  the  Secretary  of  HHS.  (HHS  §  160.204(b)(1);  64  Fed. 
Reg.  59998).  We  do  not  beheve  that  insurers  should  be  allowed  to  request  an  advi- 
sory opinion  and  open  every  state  law  up  to  challenge  and  to  review  by  HHS. 

We  do  have  one  concern  regarding  this  exception  that  we  believe  could  be  resolved 
with  explicit  clarification.  Since  the  federal  regulation  only  appUes  to  individually 
identifiable  health  information  that  is  electronically  maintained  and  transferred  and 
it  only  applies  to  health  insurers,  not  all  insurers,  we  would  like  assurance  that  the 
NAIC  Model  Act  and  similar  state  laws,  which  have  a  much  broader  scope  (apply 
to  all  forms  of  transmission  and  to  all  insurers),  would  be  viewed  as  more  stringent 
and  would  be  allowed  to  stand  under  the  proposed  regulation.  We  believe  that  these 
broader  state  laws  would  fall  under  the  category  of  "providing  greater  privacy  pro- 
tection for  the  individual",  but  explicit  clarification  in  the  preamble  or  text  or  even 
inclusion  in  the  list  of  examples  would  be  appreciated.  The  regulation  should  pre- 
serve state  laws  to  the  maximum  extent  possible  and  allow  states  to  enforce  their 
laws  as  they  apply  to  entities  and  situations  that  are  beyond  the  scope  of  the  regula- 
tion. 

Overall,  we  are  supportive  of  this  exception  and  how  HHS  has  addressed  the  issue 
in  the  regulation.  This  federal  floor  exception  will  still  require  the  states  to  analyze 
their  laws  regarding  whether  the  laws  are  contrary  and  more  stringent  than  the 
proposed  regiSation.  However,  the  states  will  not  have  to  go  through  the  burden- 
some process  as  required  by  the  category  one  exceptions,  and  they  will  not  be  pre- 
vented fi*om  enforcing  their  laws  waiting  for  a  determination.  In  addition,  this  ex- 
ception allows  states  to  enact  stronger  laws  where  and  when  they  are  needed  and 
to  enact  laws  in  the  future  to  address  changes  in  technology  and  in  the  use  of  health 
information  and  to  address  state-specific  issues. 

c.  Exceptions  that  are  State  Law  Carve-Outs  (Category  Three) 

Under  the  third  category  of  exceptions,  a  state  may  continue  to  enforce  a  contrary 
provision  of  state  law  that  the  meets  one  of  the  two  specified  exceptions:  (1)  provi- 
sions of  state  law  requiring  the  reporting  of  disease  or  injury,  child  abuse,  birth  or 
death,  or  for  the  conduct  of  public  health  surveillance,  investigation  or  intervention; 
and  (2)  provisions  of  state  law  requiring  a  health  plan  to  report,  or  to  provide  access 
to,  information  for  the  purpose  of  management  audits,  financial  audits,  program 
monitoring  and  evaluation,  facility  licensure  or  certification,  or  individual  licensure 
or  certification.  (HHS  § 160.203(c),  (d)).  No  mechanism  is  required  or  available  under 
the  proposed  regulation  for  determining  whether  a  state  law  meets  one  of  these 
complete  carve  out  exceptions.  It  appears  to  be  left  up  to  the  discretion  of  the  states, 
although  the  NAIC  membership  requests  that  HHS  affirmatively  state  this  fact. 
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The  second  carve  out  above  is  of  interest  to  us.  Although  state  insurance  laws 
would  qualify  for  this  exception,  we  are  concerned  with  the  scope  of  the  exemption 
regarding  oversight  of  health  plans. — We  realize  this  list  of  activities  related  to  state 
insurance  department  oversight  is  set  forth  in  HIPAA  §262  (Social  Security  Act 
§1178);  however,  the  preamble  of  the  proposed  regulation  explains  that  §1178  carves 
out  an  area  which  the  states  traditionally  have  regulated  and  which  the  statute  in- 
tends to  preserve  for  the  states  (64  Fed.  Reg.  59999). — We  are  concerned  because 
the  list  has  omitted  some  ver>'  important  activities  that  are  traditionally  regulated 
by  the  states  in  the  area  of  health  care,  specifically  such  activities  as  market  con- 
duct examinations,  enforcement  investigations  or  consumer  complaint  handhng. 
While  it  is  possible  that  these  functions  may  be  included  within  other  categories 
that  are  itemized,  it  is  certainly  not  clear  that  these  functions  would  fall  withm  the 
exemption.  The  NAIC  membership  thinks  that  the  proposed  regulation  should  recog- 
nize that  these  and  other  state  insurance  department  activities  are  covered  under 
this  exception.  The  stated  intent  is  to  preserve  an  area  of  law  traditionally  regulated 
by  the  states,  therefore  we  request  that  the  regulation  clarify,  either  in  the  pre- 
amble or  the  text,  that  a  broad  scope  of  state  insurance  department  activities  fall 
within  this  carve  out. 

3.  Interaction  Among  the  Three  Categories  of  Exceptions 

We  request  a  clarification  regarding  state  laws  that  are  contrary  to  the  proposed 
regulation  but  that  could  fall  into  more  than  one  category  of  exception.  Clearly  the 
proposed  regulation  contemplates  a  state  law  falling  into  more  than  one  exception 
(HHS  §160.203.1,  especially  since  the  three  categories  of  exceptions  are  drawn  broad- 
ly. We  believe  state  instirance  laws  easily  could  fall  into  several  categories  of-'excep- 
tions.  An  example  is  state  laws  regulating  health  insurance  plans  (category  one) 
that  are  more  stringent  than  the  federal  regulation  (category  two)  and  require 
health  insurance  plans  to  report  information  (category  3).  However,  this  language 
raises  several  questions:  (1)  If  a  state  law  falls  into  more  than  one  exception,  do 
states  get  to  choose  which  categor>^  of  exception  apphes?  (2)  WlQ  insurers,  consum- 
ers or  others  be  allowed  to  sue  state  insurance  departments  if  they  do  not  agree 
with  the  departments'  classifications  of  the  laws?  (3)  Will  this  issue  result  in  litiga- 
tion in  order  to  resolve  which  category"  of  exception  any  particular  state  law  falls 
into?  We  think  a  simple  clarification  statement  in  the  regulation  will  answer  these 
questions. 

We  ask  HHS  to  include  language  in  the  text  of  the  proposed  regulation  stating 
that  if  a  state  law  falls  within  several  different  exceptions,  the  state  chooses  which 
exception  shall  apply.  Clearly,  the  states  would  prefer  a  category  three  exception 
(complete  carve-out)  over  a  category  two  exception  (optional  advisory  opinion),  and 
a  category  two  exception  over  a  category  one  exception  (required  prior  determina- 
tion). The  presumption  should  be  that  the  state  has  the  best  knowledge  of  its  laws 
and  it  has  correctly  classified  its  laws  in  the  appropriate  category  of  exceptions. 
HHS  even  recognized  in  the  preamble  that  states  are  the  most  knowledgeable  about 
their  own  laws.  (64  Fed.  Reg.  59998).  We  think  this  simple  clarification  statement 
will  avert  much  litigation  and  prevent  state  insurance  departments  from  having  to 
defend  endless  challenges  to  their  classification  of  their  laws. 

m.  COM^fENTS  ON  EXCEPTIONS  FROM  THE  AUTHORIZATION  REQUIREMENT  FOR  DISCLO- 
SURE TO  HEALTH  0\TRSIGHT  AGENCIES  FOR  HEALTH  0\T:RSIGHT  ACTT\TnES  (HHS 

§164.51(x,c)i;  for  disclosutie  for  law  enforcement  purposes  (hhs  §164.51(xf)); 
and  for  use  and  disclosure  for  judicial  and  administrative:  proceedings 
ceffls  §164.510  d  )  i.  i  "health  oversight,"  "law  enforcement,"  and  "judiclal  and 
admlnistratrt:  proceedings". 

A  Classification  of  State  Insurance  Departments 

Similar  to  the  NAIC  Model  Act,  the  proposed  regulation  estabhshes  a  list  of  ex- 
ceptions to  the  authorization  requirement,  such  that  protected  health  information 
may  be  used  or  disclosed  without  authorization  in  certain  circumstances.  However, 
under  the  HHS  proposed  regulation,  the  activities  of  state  insurance  departments 
fit  under  any  one  or  more  of  the  following  three  exceptions:  (1)  for  disclosure  to 
health  oversight  agencies  for  health  oversight  activities;  (2)  for  disclosure  for  law  en- 
forcement purposes;  and  (3)  for  use  and  disclosure  for  judicial  and  administrative 
proceedings.  The  regulation  is  unclear  about  the  role  of  insurance  departments  rel- 
ative to  these  exceptions. 

1.  Health  Oversight  Agencies  and  Their  Activities  (HHS  §164.510(cj) 

The  definition  of  "health  oversight  agenc>^'  most  clearly  encompasses  and  applies 
to  state  insurance  departments.  Although  the  preamble  specifically  lists  state  insur- 
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ance  departments  as  included  in  this  category,  we  suggest  including  this  statement 
in  the  text  of  the  regulation,  not  just  the  preamble  (64  Fed.  Reg.  59958). 

The  proposed  regulation  provides  an  exception  to  the  authorization  requirement 
for  disclosure  to  health  oversight  agencies  for  conducting  health  oversight  activities. 
According  to  the  proposed  regulation,  these  health  oversight  activities  authorized  by 
law  include  audits;  investigations;  inspections;  civil,  criminal  or  administrative  pro- 
ceedings or  actions;  and  other  activities  necessary  for  appropriate  oversight  of:  i)  the 
health  care  system;  ii)  government  benefit  programs  for  which  health  information 
is  relevant  to  beneficiary  eUgibility;  or  iii)  government  regulatory  programs  for 
which  health  information  is  necessary  for  determining  compliance  with  program 
standards  (HHS  §164.5 10(c)(1)). 

We  are  particularly  concerned  about  the  scope  of  the  exemption  in  terms  of  the 
listed  activities  that  are  included  for  state  oversight  of  health  plans.  While  the  list 
includes  a  large  catch-all  category  for  "other  activities  necessary  for  appropriate 
oversight  of  the  health  care  system,  government  benefit  programs,  or  of  government 
regulatory  programs",  the  Ust  fails  to  include  other  oversight  activities  that  are  of 
such  importance  to  state  insurance  departments  that  they  should  be  specifically  Ust- 
ed.  Some  of  these  oversight  activities  that  are  traditionally  conducted  by  the  states 
are:  market  conduct  examinations;  consumer  complaint  handling;  solvency  and  fi- 
nancial examinations;  rehabilitation  and  liquidation;  investigations;  audits;  fi*aud 
activities;  establishing  and  enforcing  legal  or  fiscal  standards  relating  to  the  regula- 
tion of  the  business  of  insurance,  including  claims,  underwriting,  sales,  and  man- 
aged care;  assessments,  evaluations,  determinations;  initiation  of  administrative, 
civil  or  criminal  proceedings;  compliance  and  enforcement  of  laws  or  regulations. 

While  it  could  be  argued  that  some  of  these  functions  are  included  within  other 
categories  that  are  itemized,  it  is  certainly  not  clear  that  these  functions  would  fall 
within  the  exemption.  In  order  to  ensure  that  every  insxirance  department  can  fulfill 
its  obligations  to  the  citizens  in  its  state,  we  request  that  HHS  add  these  additional 
oversight  activities  to  the  list  of  specific  examples.  We  also  request  that  HHS  clarify 
that  the  catch-all  exemption  to  the  authorization  requirement  for  activities  nec- 
essary for  the  appropriate  oversight  of  the  health  care  system  is  intended  to  include 
all  legally  authorized  activities  performed  by  insurance  departments. 

2.  Health  Oversight  Activities  by  Two  or  More  Agencies. 

On  a  related  note,  the  preamble  states  that  in  cases  where  health  oversight  agen- 
cies are  working  in  tandem  with  other  agencies  overseeing  pubUc  benefit  programs 
to  address  compHance,  firaud  or  other  integrity  issues  that  could  span  across  pro- 
grams, the  oversight  activities  of  the  team  would  be  considered  health  oversight  and 
disclosure  to  and  among  team  members  would  be  permitted  under  the  proposed  rule 
to  the  extent  permitted  under  other  law.  (64  Fed.  Reg.  59958).  We  appreciate  that 
state  agencies  will  be  able  to  work  together  and  share  protected  health  information 
among  agencies  in  order  to  conduct  oversight  activities  and  share  information,  with- 
out being  considered  as  business  partners  or  needing  a  contract  to  share  information 
among  state  agencies. 

However,  we  would  like  to  see  this  ability  to  share  information  with  other  agen- 
cies for  oversight  purposes  expanded  fi-om  just  overseeing  public  benefit  programs 
(i.e.  Medicaid)  to  overseeing  health  programs  and  activities  as  a  whole.  For  example, 
an  insurance  department  may  not  be  the  sole  agency  in  a  state  that  regulates 
health  insurers  and  plans.  In  some  states,  the  Department  of  Health,  the  Depart- 
ment of  Corporations  or  the  Department  of  Managed  Care  is  responsible  for  regulat- 
ing managed  care  entities.  This  results  in  an  overlap  in  jiirisdiction  or  in  delegation 
of  responsibilities  among  agencies  for  regulating  the  health  insurance  entities.  Shar- 
ing of  information  among  agencies  for  these  oversight  activities  is  just  as  important 
as  oversight  of  pubHc  benefit  programs.  Consequently,  we  would  like  to  see  the  reg- 
ulation recognize  the  need  for  information-sharing  among  agencies  for  the  oversight 
of  health  programs  and  activities  as  a  whole. 

3.  Law  Enforcement  and  Judicial  and  Administrative  Proceedings  (HHS  §164.510(f), 

(d)) 

In  addition  to  falling  into  the  health  oversight  exception,  it  could  be  argued  that 
certain  state  insurance  department  activities  fall  under  the  law  enforcement  and  ju- 
dicial and  administrative  proceeding  exceptions.  The  definition  of  'law  enforcement 
official"  is  very  broad  and  includes  an  officer  of  an  agency  or  authority  of  a  state 
who  is  empowered  by  law  to  conduct:  1)  an  investigation  into  a  violation  of,  or  fail- 
ure to  comply  with  any  law;  or  2)  a  criminal,  civil  or  administrative  proceeding  aris- 
ing firom  a  violation  of,  or  failure  to  comply  with,  any  law.  (HHS  §164.510(f)(lXii); 
64  Fed.  Reg.  59937).  Because  of  their  job  responsibilities,  state  insurance  com  mis- 
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sioners  would  fall  into  this  definition.  As  drafted,  state  insurance  department  efforts 
to  combat  health  care  fi^ud  could  be  considered  law  enforcement  activity. 

Judicial  and  administrative  proceedings  are  not  defined  in  the  proposed  regula- 
tion but  are  considered  an  exception  to  the  authorization  requirement.  Under  this 
exception,  persons  are  permitted  to  disclose  information  in  the  course  of  any  judicial 
or  administrative  proceeding,  but  only  in  response  to  an  order  of  a  court  or  adminis- 
trative tribunal,  or  where  the  individual  is  a  party  to  the  proceeding  and  his  or  her 
medical  condition  or  history  is  at  issue  and  the  disclosure  is  pursuant  to  lawful  proc- 
ess or  otherwise  authorized  by  law.  (HHS  §164.5 10(d)(1)).  State  insiirance  depart- 
ments conduct  administrative  proceedings  and  are  often  involved  in  judicial  and  ad- 
ministrative proceedings. 

Potentially,  one  single  activity  could  be  construed  as  falling  into  all  three  excep- 
tions. An  example  could  be  a  joint  investigation  by  an  insurance  department's  inves- 
tigation team,  which  is  investigating  a  licensee  for  purposes  of  determine  if  adminis- 
trative action  should  be  taken  against  the  Ucensee,  and  the  department's  fi-aud  unit, 
which  may  prosecute  the  individual  for  insiirance  fraud.  This  issue  raises  procedural 
questions,  especially  if  one  exception  requires  a  court  order  (judicial  and  administra- 
tive proceedings),  one  does  not  (health  care  oversight),  and  another  exception  may 
require  a  court  order  in  certain  situations  (law  enforcement,  although  not  for  health 
care  fii^ud).  The  preamble  states  that  agencies  that  conduct  both  oversight  and  law 
enforcement  activities  would  be  subject  to  the  provision  on  use  and  disclosure  for 
health  oversight  activities  when  conducting  oversight  activities  (64  Fed.  Reg.  59958). 
However,  what  standards  apply  when  conducting  other  activities.  It  is  difficult  to 
have  several  different  appUcable  rules  based  on  the  activities  the  states  are  per- 
forming. This  is  especially  true  if  states  are  conducting  activities  that  fall  into  more 
than  one  category  of  exception  and  the  activities  are  not  so  easily  divided  into  parts 
that  need  authorisation  and  those  that  do  not. 

The  regulation  should  state  that  either  insurance  departments  decide  which  ex- 
ception applies,  or  that  all  insurance  department  activities  are  health  oversight  ac- 
tivities. Otherwise,  state  insurance  departments  may  face  endless  litigation  over 
their  classifications.  We  ask  HHS  to  include  language  in  the  text  of  the  proposed 
regulation  stating  that  if  a  state  insurance  activity  falls  within  several  different  ex- 
ceptions, the  state  chooses  which  exception  shall  apply.  The  presumption  should  be 
that  the  state  has  the  best  knowledge  of  its  laws  and  activities  and  has  correctly 
classified  them  in  the  appropriate  category  of  exceptions.  HHS  even  recognized  in 
the  preamble  that  states  are  the  most  Imowledgeable  about  their  own  laws  (64  Fed. 
Reg.  59998).  We  think  this  simple  clarification  statement  will  avert  much  litigation 
and  prevent  a  state  insurance  department  from  having  to  defend  endless  challenges 
to  its  classification  of  the  exception  that  applies. 

B.  Permitted  Disclosures  Versus  Required  Disclosures  to  State  Insurance  Depart- 
ments 

We  are  concerned  that  under  the  proposed  regulation  covered  entities  are  "per- 
mitted" but  not  "required"  to  disclose  necessary  protected  health  information  to 
health  oversight  and  law  enforcement  agencies  (HHS  §164.5 10(c),  (f);  64  Fed.  Reg. 
59955).  Under  the  proposed  regulation,  disclosure  is  required  in  only  two  in- 
stances— ^to  permit  an  individual  to  inspect  or  copy  their  information,  or  when  re- 
quired by  the  Secretary.  (HHS  §164.506) 

We  beUeve  that  covered  entities  under  investigation  by  a  state  agency  should  be 
required  to  provide  that  state  agency  with  access  to  necessary  health  information 
when  performing  its  legally  mandated  duties.  This  disclosure  should  not  be  optional. 
By  not  requiring  insurers  to  provide  state  insurance  departments  with  access  to 
records,  filings  and  other  documents  that  may  contain  individually  identifiable  infor- 
mation, state  ins\irance  departments'  ability  and  authority  to  perform  their  regu- 
latory responsibihties  is  undermined.  In  addition,  obtaining  authorization  from  all 
of  an  insurer's  cHents  for  investigation  of  an  insurer's  business  practices  is  not  fea- 
sible or  practical.  ,      ,      ,  j        i  x-  • 

The  NAIC  requests  that  disclosure  be  required  under  the  proposed  regulation  in 
additional  instances,  including  disclosure  to  health  oversight  agencies  for  health 
oversight  activities  consistent  with  state  law.  The  NAIC  Model  Act  Usts  cir- 
cumstances where  an  insurer  is  required  to  disclose  protected  health  information 
without  an  authorization.  Three  of  these  situations  are:  (1)  disclosure  to  federal, 
state  or  local  authorities  to  the  extent  the  carrier  is  required  by  law  to  report  pro- 
tected health  information  or  for  fraud  reporting  purposes;  (2)  disclosure  to  a  state 
insurance  department  performing  an  examination,  investigation,  audit;  or  (3)  pursu- 
ant to  a  court  order.  (NAIC  Model  Act  §11).  By  not  requiring  insiirers  to  disclose 
needed  records  that  may  contain  individually  identifiable  health  information,  state 
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insurance  departments  will  be  forced  to  obtain  court  orders  for  every  request  of  in- 
formation needed  for  a  legitimate  and  lawful  purpose. 

However,  even  court  orders  will  not  remedy  the  problem,  since  under  the  proposed 
regulation's  judicial  and  administrative  proceeding  exception,  covered  entities  are 
permitted  to  disclose  protected  health  information  in  a  judicial  or  administrative 
proceeding  if  the  request  for  such  protected  health  information  is  made  through  or 
pursuant  to  an  order  by  the  court  or  administrative  tribunal.  (HHS  §164.5 10(d)). 
This  use  of  "permitted"  in  the  proposed  regulation  instead  of  "required"  will  severely 
hamper  state  insurance  departments  from  doing  their  jobs. 

The  preamble  states  that  protected  health  information  is  often  needed  as  part  of 
an  administrative  or  judicial  proceeding,  and  it  even  lists  examples.  The  preamble 
states  that  these  "uses  of  health  information  are  clearly  necessary  to  allow  the 
smooth  functioning  of  the  legal  system."  (64  Fed.  Reg.  59958-59959).  If  the  uses  are 
necessary,  it  logically  follows  that  the  language  in  the  text  of  the  proposed  regula- 
tion should  use  the  word  "required"  instead  of  "permitted". 

IV.  COMMENTS  ON  ACCOUNTING  FOR  DISCLOSURES  REQUIREMENT  (HHS  §164.515) 

Both  the  proposed  regulation  and  the  NAIC  Model  Act  grant  individuals  the  right 
to  an  accounting  of  the  disclosures  of  their  protected  health  information  from  cov- 
ered entities  (HHS  §164.515;  NAIC  §9),  and  both  establish  exceptions  to  this  right. 
The  proposed  regulation  establishes  an  exception  so  that  accounting  for  disclosure 
to  an  oversight  agency  or  law  enforcement  agency  is  not  required  to  be  given  to  an 
individual  if  the  agency  provides  a  written  request  stating  that  the  exclusion  is  nec- 
essary for  a  specified  period  of  time.  (HHS  §164.5 15(a)(2)).  The  NAIC  Model  Act's 
exception  states  that  the  carrier  is  not  required  to  include  in  the  accounting  any 
disclosures  of  protected  health  information  that  were  compiled  in  preparation  for 
litigation,  law  enforcement  or  fraud  investigation.  There  is  no  date-specific  deadline 
on  this  exception. 

Both  the  proposed  regulation  and  the  NAIC  Model  Act  create  exceptions  to  the 
accounting  requirement  for  oversight  agencies  and  law  enforcement  agencies  con- 
ducting investigations.  The  problem  with  the  proposed  regulation  is  that  it  is  nearly 
impossible  to  accurately  project  the  length  of  an  investigation,  especially  during  its 
early  stages.  Rather  than  designating  a  specific  date  or  a  specific  amount  of  time 
for  no  accounting  of  disclosures  to  oversight  or  law  enforcement  agencies,  the  NAIC 
suggests  a  deadhne  based  on  the  end  of  an  event,  such  as  conclusion  of  an  investiga- 
tion. This  ensures  that  an  individual  will  receive  a  full  accounting  of  disclosures  at 
a  certain  point  but  also  allows  an  oversight  or  law  enforcement  agency  to  complete 
its  investigation  without  having  to  set  some  arbitrary  date  of  disclosure. 

V.  COMMENTS  ON  BANKING  ACTIVITIES  AND  FINANCIAL  SERVICES  MODERNIZATION  (HHS 
§164.51(XI))  ("BANKING  AND  PAYMENT  PROCESSES") 

HHS  attempts  to  address  banks  and  banking  activities  within  the  scope  of  the 
proposed  regulation.  We  believe  this  is  a  very  important  issue  in  light  of  the  passage 
of  financial  services  modernization  legislation.  The  Gramm-Leach-BUley  Act,  Public 
Law  106-102  (the  "GLB  Act"),  and  with  the  changes  in  the  entities  that  are  consid- 
ered "payers."  However,  we  have  some  concerns  about  how  banks  and  their  activi- 
ties are  handled  under  the  proposed  regulation. 

A.  Payment  Activities  Versus  Non-Payment  Activities 

The  first  issue  concerns  the  exception  for  banking  and  payment  processes  (HHS 
§  164.5 10(i)).  This  exception  is  confusing  because  HHS  attempts  to  address  two  sepa- 
rate issues  within  the  context  of  this  one  exception — payment  activities  and  non- 
payment banking  activities.  We  believe  these  two  issues  should  be  handled  sepa- 
rately. 

Under  the  statute  (§1179  of  the  Social  Security  Act/§262  of  HIPAA),  banks  can 
use  or  disclose  protected  health  information  for  certain  listed  purposes  (all  involving 
payment),  and  HHS  repeats  these  approved  activities  in  the  regulation.  Under 
§164.510(1),  "disclosure  for  banking  and  payment  processes",  covered  entities  are  al- 
lowed to  disclose  protected  health  information  to  financial  institutions  without  an 
individual's  authorization  for  processing  payment  for  health  care  and  health  care 
premiums,  including  the  processing  of  checks  or  credit  card  transactions  as  payment 
for  health  care  services.  However,  covered  entities  would  not  be  allowed  under  the 
proposed  regulation  to  include  any  diagnostic  or  treatment  information  in  the  data 
transmitted  to  financial  institutions.  (64  Fed.  Reg.  59966). 

We  agree  with  HHS'  assessment  of  a  bank's  role  in  payment  activities.  We  too 
recognize  that  a  certain  amount  of  information  is  needed  to  process  payments,  but 
we  agree  that  a  bank  would  not  need  diagnostic  or  treatment  information  in  order 
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to  process  a  pavment  and  that  in  most  case 
tion  would  be  nece&sarv  for  a  bank  to  c:- 
59966  . 

HHS  also  raises  the  issue  of  non-paymer. 
this  exception  not  in  the  text  of  the* prep  :s: 
tivities  banks  mav  be  providing  now  and  m 
HHS  recognizes  tliat  banks,  ic  addition  to  ozerlng  traditional  banking"  serrices,  may 
be  interested  in  offering  additional  services  to  covered  entities  s^jch  as  tracking  serv- 
ices, and  diagnostic  and  treatment  information,  claims  management  and  billing  s-jp- 
port.  ■  64  Fed-  Reg.  59966  .  With  the  passage  of  the  GLB  Act,  tins  is  a  ver^r  rei-  sce- 
nario. 

CuiTeiitly.  banks  are  not  considered  covered  entities  -^der  this  proposed  re-g'^a- 
tion-  HHS  tries  to  address  its  lack  of  ;^jrisdiction  over  baiiki  by  classifymg  bi:-k> 
as  ""business  partners"  of  covered  entities  when  receiving  protected  health  informa- 
tion for  non-payment  activities.  64  Fed.  Reg.  59*966  .  For  example,  if  a  bank  offers 
an  integratea  package  of  traditional  banking  services  and  healtn  claims  and  billing 
services,  it  could  do  so  through  a  business  partner  arrangement  that  meets  the  prol 
posed  requirements.  64  Fed..  Reg.  59966-59967  . 

We  agree  with  HHS"  assessment  tinat  nothing  Ln  the  reg-jlation  wo-jld  prohibit 
banks  from  becoming  business  partners  of  covered  er.r.nes  -^-.der  the  conditions  es- 
tablished in  the  proposed  reg^ulation  HHS  §164.5;-:  i  tita:  any  services  of- 
fered by  a  bank  that  are  not  on  the  list  of  exempt  ser.tces  m  the  starjte  Social 
Security  Act  §1179^  should  be  subject  to  the  b'osiness  partner  r,iie.  We  also  a.gre€ 
that  disclosing  protected  health  in:;rma:::r.  to  a  financial  insti ration  for  non-pay- 
ment activities  without  author_2a:::n  :r  ----:ut  a  b'^ismess  partner  contr-a::  -s-o-jld 
violate  the  provisions  of  the  proposed  rer-la-^;n    64  Fed,  Reg  59966  . 

As  demonstrated  by  our  comments  iiniems  z:  r.i:  inv-.ive  how  HHS  has  ad- 
dressed payment  activities  or  non-pa;.— in:  a:::-.tues  ::"  tar_£.5  :u:  rather  that  HHS 
has  addressed  these  two  issues  together  as  t:"  there  were  no  differences  m  the  need 
for  protected  health  information  in  these  two  sets  of  actiNtties.  We  think  that  bank 
activities  that  do  not  involve  pntes-smg  payments  shf-ild  he  handled  separately 
from  payment  activities.  The  ex:et:::n  HHS  §164.511  :  sni-jld  be  narrow'ed  to  'oe 
just  "payment  proces-ses"  and  sho'^d  n::  ze  "pav-men:  anc  tanking  pr-c-cesses*  or  any 
other  activities  outside  the  scope  of  payment  .-^11  : titer  n:n-pa;.nnent  actdv-ities 
shoiild  be  governed  by  the  b-^mess  partne'rs  rjle. 

In  addition,  there  are  discret  amies  between  the  preamtle  and  the  acTjal  text  z: 
the  regulation  setting  forth  :n_5  exieption  HHS  §164.511  i  N-:w-ths-tandin.|  the 
discussion  on  banks  as  b'usiness  partners,  the  intent  of  the  preamble  seems  lairly 
focused  and  is  narrower  in  scope  tlnan  the  acr-ial  text.  The  'text  of  the  reg"jiaticn 
as  it  is  currently  written  is  overly  broad  and  co'jld  lead  to  unintended  consequences.. 
The  preamble  addresses  payment  processes,  but  the  text  of  the  re^g^ulation  acdre-sses 
"routine  banking  activities  or  pavTnent."  64  Fed.  Reg.  59966:  §104.510'!  .  "Routine 
banking  activitie-s""  is  very  broad  and  co^jld  include" approving  loans  and  offering 
mortgages — acti\-ities  that  do  not  necessitate  disclos"jre  of  protected  health  miorma- 
tion  for  payment,  but  would  be  allowed  ^under  the  text  of  the  reg-jlation^  Banks 
should  not  have  access  to  individuals'  protected  he.alth  information  m  decidin.g 
whether  to  offer  a  loan  or  mortgage.  We  suggest  tlnat  the  te,xt  of  the  rer^atiin  'z-e 
re-draAed  to  reflect  the  narrower  scope  and  intent  of  the  preamble. 

In  short,  if  covered  entities  disclose  protected  health  unformatiDn  to  baz^s  str.ctly 
for  payment  proces-sing,  we  agree  that  no  authorisation  is  needed,  but  the  informa- 
tion banks  receive  should  be  minimal..  If  protected  health  mformaticn  is  used  for 
any  other  reason,  authorization  from  the  indivtcual  v,-:.-_ld  be  re-q-Jir-ed  or  a  business 
contract  with  a  covered  entity  would  'be  rec;uired.. 

B.  Banks  as  "Covered  Entities  '^ 

Currently  banks  are  not  included  under  the  dennition  of  "covered  entities '  in  tne 
HHS  propo'sed  regulation;  however,  with  the  enactment  of  the  GLB  Act..  'zanjLS  sjre 
able  to  form  holding  companies  that  will  include  ins-^ance_  companies  covered  enti- 
tle' and  their  activities.  As  a  result.,  banks  may  soon  have  access_  to  protected 
health  information  once  the  GLB  Act  is  implemented  and  banks  start  _bu>nng  ; 
ance  companies.  When  not  if  tlnis  happens^,  we  believe  banks_  sho'U-d  oe  cassmec 
as  covered  entities  under  the  proposed  re-g"ulation..  Banks  sho^uld  be  ne^d  to  tne  re- 
quirements of  the  HHS  proposed  re-g-jlation  and  sho'uld  be  req-jired  to  ootam  au- 
thorization from  an  individual  to  conduct  non-payment  activities.  .As^-istec  in  tne 
preamble,  these  activities  req^uiring  authorisation  woud  include:  use  :cr  marsetmr 
of  health  and  non-health  items  an"S  services:  and  use  and  disclo'S^jre  t:  n:n-nea_-Ji 
related  divisions  of  the  covered  entity  e.g.,  for  use  in  marketing  Iffe  or  :.a iu a. ly  in- 
surance or  banking  services  .   64  Fed..  Reg.  59941-59942  .  HHS  sho'U-C  c-ar-„--  tnat 


5,  if  not  all,  only  the  sp'ectffed  informa- 
dur.  ta/tnen:  act: '-.ties.    64  Fed..  Reg. 

-.  zanl-Ling  activities  m  the  pre.amble  of 
ri  reg--la:i:n  .  HHS  theonzes  a.bout  ac- 
the  rlir,ire  for  olans  and  providers,  and 
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if  financial  institutions  act  as  payers,  they  should  be  governed  by  the  HHS  privacy 
regulation  as  covered  entities. 

VI.  CONCLUSION 

In  summary,  we  support  HHS'  efforts  to  implement  privacy  regulations  that  leave 
intact  as  many  state  laws  as  possible.  However,  we  do  have  serious  concerns  about 
the  scope,  the  applicable  entities  effected  by  the  proposed  regulation,  the  preemption 
of  state  law,  the  determination  process  for  preemption  exceptions,  and  how  state  in- 
surance departments  and  the  broad  scope  of  activities  for  which  they  are  responsible 
are  classified.  We  believe  that  the  regulation  in  its  current  form  has  the  potential 
to  significantly  impair  the  states'  ability  to  regulate  the  health  insurance  industry. 
We  do  believe  that  the  proposed  regulation  may  be  workable  if  HHS  implements  our 
suggested  changes. 

The  NAIC  appreciates  the  opportunity  to  offer  these  comments  regarding  the  pro- 
posed regulation.  The  NAIC  intends  to  continue  working  closely  with  HHS  on  these 
and  other  issues.  If  HHS  has  any  questions  with  respect  to  these  comments  or  any 
other  element  of  the  proposed  regulation,  it  should  feel  fi*ee  to  contact  myself  or 
Mary  Beth  Senkewicz  at  (202)  624-7790. 
Sincerely, 

Kathleen  Sebelius, 
Vice  President,  NAIC. 
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May  26, 2000 

The  Honorable  Jim  M.  Jeffords 
Chairman 

Committee  on  Health,  Education,  Labor  and  Pensions 
United  States  Senate 
Washington,  DC  20510-6300 

Dear  Chairman  Jeffords: 

fa  response  to  your  May  10  lettCT  detailing  questions  raised  by  Senator  Wellstone  to  the 
American  Hospital  Associaticm  (AHA)  wimess  at  the  April  26*  hearing,  "Proposed  Rule 
on  the  Privacy  of  fadividually  Identifiable  Health  Information,"  the  AHA,  on  behalf  of  its 
nearly  5,000  membo*  hospitals,  health  systems,  networks  and  other  providers  of  care, 
respectfully  submits  the  following  for  the  record. 

Question  1 )  The  proposed  regulations  completely  eliminate  the  fundamental  concept  of 
informed  consent,  by  eliminating  the  patient's  need  to  consent  to  disclosure  of  information 
for  treatment,  payment,  and  health  care  operations,  as  well  as  for  specific  purposes  related 
to  "key  national  health  care  priorities."  It  may  be  true  that  the  present  consent  forms  are 
pro  forma,  but  eliminating  informed  consent  prior  to  disclosure  of  highly  personal  health 
information  will  only  further  undermine  patient  confidence. 

(A )  What  specific  proposals  do  you  have  to  bolster  patient  confidence  in  the  appropriate  use 
their  health  information  and  thereby  prevent  patients'  either  withholding  information 
or  lying  and  thereby  jeopardizing  their  own  care  as  well  as  the  accuracy  of  research 
and  public  health  information? 

(B)  from  the  perspective  of  the  entity  you  represent  and  your  area  of  expertise,  if 
informed,  voluntary,  and  non-coerced  patient  consent  before  the  use  and  disclosure  of 
medical  records  were  required,  how  would  you  recommend  implementing  such  a  rule? 

The  AHA  respectfully  disagrees  with  the  Senator's  premise  that  patient  confidence  will  be 
undamined  by  the  "regulatory  authorization"  in  the  Department  of  Health  and  Humans 
Services  proposed  "Standards  for  Privacy  of  Individually  Identifiable  Health  Information." 
Rather,  we  believe  that  many  of  the  concerns  expressed  in  the  Senator's  question  are.  in 
fact,  addressed  in  the  proposed  standards,  and  that  patient  confidence  could  be  bolstered  by 
adoption  of  clear  policies  and  procedures  on  the  safeguarding  of  patient  information. 
As  stewards  of  pauent  mtormauon,  hospitals  believe  that  it  is  vitally  important  that 
personal  health  information  be  subject  to  such  clear  poUcies  and  procedures,  with  strong 
penalties  attached  to  any  misuse.  The  regulation,  in  large  part,  mirrors  this  belief,  by 
seeking  to  ensure  that  identifiable  health  information  be  subject  to  a  system  of  checks  and 
balances.  Under  the  proposed  rule,  hospitals  must  have  safeguards  in  place  to  protect 
against  unauthorized  access  to  patient  information.  At  the  same  time,  the  proposed 
regulation  recognizes  that  patient  information  must  be  available  within  the  health  care 
system  in  order  to  adequately  treat  patients,  be  paid  for  services  rendered,  and  perform  vital 
health  care  operations. 
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Health  care  operations  include  such  functions  as  error-reduction  analysis  and  patient  safety 
initiatives,  as  well  as  continuous  quality  improvement  activities.  These  functions  are 
essential  to  improving  hospital  systems  of  care. 

To  answer  the  second  part  of  your  question,  we  agree  that  it  is  very  important  that  patients 
understand  how  information  will  be  used  within  the  confines  of  the  health  care  system, 
including  treatment,  payment,  and  health  care  operations,  and  what  parameters  are  in  place 
to  ensure  against  inappropriate  uses  of  identifiable  health  information.  However, 
individual  consent  for  each  use  of  patient  information  within  the  health  care  system  would 
be  an  untenable  and  potentially  dangerous  proposal.  For  example,  what  if  a  patient 
consents  to  the  use  of  his/her  information  for  treatment,  but  not  for  payment?  Or  what 
happens  if  an  infection  breaks  out  on  a  hospital  floor?  Access  to  patient  records  will  be  an 
important  determinant  in  managing  and  controlling  spread  of  infection  to  other  patients 
within  the  hospital.  Additionally,  efforts  to  understand  adverse  events  often  rely  on 
examining  patient  records  to  identify  potential  diagnostic  or  system  improvements. 

We  have  many  concerns  with  the  proposed  regulation;  however,  these  concerns  are  not 
with  the  "regulatory  authorization"  and  the  issues  of  patient  consent,  but  rather  with  the 
barriers  that  the  Secretary  puts  in  the  way  of  legitimate  and  appropriate  uses  of  patient 
information  by  hospitals  and  the  tremendous  costs  hospitals  will  face  if  these  rules  are  not 
modified  significantly  before  being  made  final.  We  believe  that  the  limited  permissible 
uses  outlined  in  the  proposed  rule,  in  large  part,  capture  the  flow  necessary  for  the  health 
care  system  to  function  effectively,  while  at  the  same  time  recognizing  the  importance  of 
patient  consent  for  activities  and  functions  that  may  fall  outside  the  authorized  functions. 

Question  2)  The  proposed  rule  sets  an  important  standard  that  only  the  "minimum  amount 
of  protected  information  necessary"  for  a  given  use  may  be  disclosed.  However,  the 
proposed  rule  does  not  specify  what  the  minimum  is  in  various  circumstances. 

(A )  Do  you  think  this  lack  of  specificity  is  a  problem?  Why  or  why  not? 

(B)  Would  you  recommend  that  all  medical  information  be  disclosed  among  licensed 
health  care  professionals  for  treatment  purposes  only?  Why  or  why  not? 

This  question  refers  to  the  section  of  the  proposed  rule  which  provides  that  a  "covered 
entity  must  make  all  reasonable  efforts  not  to  use  or  disclose  more  than  the  minimum 
amount  of  protected  health  information  necessary  to  accomplish  the  intended  purpose  of 
the  use  or  disclosure."  While  this  standard  is  based  on  a  principle  that  is  central  to 
protecting  the  privacy  of  an  individual's  health  information,  its  implementation  raises  some 
serious  problems.  For  example,  it  is  clear  that  caregivers  need  a  full  and  complete  history 
of  a  patient's  health  in  order  to  diagnose  and  develop  a  treatment  plan.  It  often  impossible 
to  determine  in  advance  what  information  may  be  necessary  for  a  subsequent  caregiver  to 
have  in  order  to  provide  appropriate  care.  While  everyone  in  the  health  care  system  should 
be  sensitive  to  the  flow  of  identifiable  health  information,  creating  a  system  where 
information  is  overly  inhibited  will  only  undermine  patient  care. 

In  our  comments  to  HHS,  the  AHA  proposed  that  the  agency  address  this  issue  by 
requiring  health  care  organizations  "in  establishing  safeguards  . .  .[to]  take  into 
consideration . . .  ways  to  ensure  that  the  minimum  amount  of  information  necessary  for 
the  purpose  for  which  the  information  is  needed  is  used  or  disclosed."  This  would  include 
"methods  for  determining  the  type  or  types  of  persons  who  may  have  access  to  the 
information."  Strong  institutional  safeguards  to  prevent  the  misuse  of  patient  information 
should  render  the  requirement  that  providers  justify  each  authorized  use  or  disclosure  an 
unnecessary  exercise. 
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To  respond  to  the  second  part  of  the  question  posed,  we  re-state  two  points:  Rrst,  it  is  clear 
that  patient  infcsmation  must  be  used  by  providers  to  treat  individuals  entrusted  in  their 
care;  and  second,  given  the  importance  of  quality  improvement  initiatives  and  the  focus  on 
refining  systems  of  care  to  enhance  patient  safety,  it  is  perhaps  more  important  than  ever 
for  providexs  to  have  access  to  information  that  supports  diese  efforts. 

We  appreciate  the  opportunity  to  respond  to  your  questions  on  the  privacy  of  health 
information.  It  is  an  important  issue  that  deserves  thoughtful  attention.  Should  you  have 
any  questions  regarding  our  responses,  please  contact  Patti  Goldman  (202.626.2328)  or 

Anne  Berdahl  (202.626.4628)7 

SincCTely,  , 


Rick  Pollack 
Executive  Vice  President 


Charles  N.  Kahn  m 

PresideDt 


HIAA 


Heahb  bsuraacc  Associatioo  of  Ajoiaica 


May  26,  2000 


The  Honorable  Jim  Jeffords 
Chairman 

Health,  Education,  Labor  and  Pensions  Committee 
U.S.  Senate 

428  Dirksen  Senate  Office  Building 
Washington,  D.C.  20510 

Dear  Chairman  Jeffords: 

On  April  26,  2000 1  testified  before  your  Committee  regarding  the  Health  Insurance  Association  of 
America's  (HIAA)  views  on  the  proposed  rule  from  the  Department  of  Health  and  Human  Services 
OTi  the  ccmfidentiality  of  health  information.  In  foUowup  to  my  appearance  before  the  Committee, 
Senator  Paul  Wellstone  had  several  written  questions  pertaining  to  my  written  statement.  You 
shared  Senator  Wellstone's  questions  with  me  in  a  letter  dated  May  10, 2000  and  asked  for  my 
response  by  today.  Attached  are  my  written  responses  to  Senator  Wellstone's  questions. 
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Let  me  thank  you  again  for  the  opportunity  to  testify  before  your  Committee  on  this  important 
matter.  If  you  or  Senator  Wellstone  or  any  other  Member  of  the  Conunittee,  have  any  further 
questions,  please  contact  Sharon  Cohen,  Senior  Vice  President,  Federal  A^airs  at  HIAA.  She  may 
be  reached  on  202-824- 1 845. 


1.)  (A)  Specific  proposals  to  bolster  patient  confidence  in  the  appropriate  use  of  their 
health  information? 

Health  plans  and  insurers  have  long  recognized  the  importance  of  maintaining  the 
confidentiality  of  individually  identifiable  health  information  while  effectively  using  it  to 
improve  patient  care  and  furnish  necessary  administrative  services.  Our  customers,  both 
employers  and  individuals  who  purchase  health  insurance,  have  confidence  that  identifiable 
health  information  is  confidential,  protected,  and  secure,  hi  a  competitive  marketplace,  it 
simply  would  be  foolhardy  for  an  insurer  not  to  run  its  business  with  appropriate  safeguards. 

A  growing  patchworic  of  state  confidentiality  laws  leaves  consumers  with  fewer  protections  in 
some  states  than  in  others  and  can  lead  to  significant  confusion.  These  inconsistent  state 
laws  also  impede  insurers*  abiUty  to  operate  effectively  and  meet  the  demands  of  customers. 
Insurers  have  an  exemplary  track  record  of  maintaining  the  confidentiality  of  personal  health 
information. 

Therefore,  we  firmly  beUeve  the  best  way  to  bolster  patient  confidence  in  the  appropriate  use 
of  their  health  information  is  through  federal  legislation  that  preempts  state  laws.  HIAA 
supports  balanced  and  responsible  federal  legislation  of  confidentiahty  that  provides  strong 
protections  for  consumers  while  at  the  same  time  not  placing  undue  regulatory  burdens  or 
restrictions  on  the  private  health  care  system.  Consumer  concerns  regarding  confidentiality 
are  an  important  consideration.  However,  overly  prescriptive  legislation  that  would  limit  the 
ability  of  the  health  care  industry  to  provide  consumers  with  high  quality,  affordable  health 
care  services  should  be  avoided.  HIAA  looks  forward  to  working  with  Congress  to  make  sure 
these  federal  laws  are  passed. 

We  also  must  be  cognizant  of  the  vitaUy  important  role  of  computer  technology  in  the  health 
care  industry. 


1.)  (B)  Recommendation  on  implementation  of  informed  patient  consent 

The  administration's  proposed  rules  attempt  to  strike  a  balance  between  protections  for 
individually  identifiable  health  information  and  the  activities  necessary  to  provide  quality 
health  care.  Thus,  insurers  and  other  covered  entities  are  permitted  to  use  and  disclose 
protected  health  information  without  individual  authorization  only  for  treatment,  payment,  or 
health  care  operations.  Rules  that  would  limit  covered  entities  firom  using  health  information 
for  these  purposes  could  seriously  undermine  the  delivery  of  quaUty  health  care.  For  example, 
if  insurers  were  required  to  selectively  obtain  patient  consent,  the  result  would  be  a  chilling 


Sincerely, 


Enclosures 
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effect  on  the  ability  of  insurers  to  combat  health  care  fraud  and  abuse,  perfonn  essential 
disease  management  activities,  and  conduct  important  health  care  research. 

However,  the  proposed  rules  do  not  allow  for  the  full  range  of  essential  treatment,  payment, 
and  health  care  operations  activities  vital  to  deUvering  high  quality  care.  Thus,  we 
recommend  the  rules  be  broadened  in  some  areas.  In  particular,  we  beheve  the  rules  should 
allow  administrative  activities  related  to  the  design,  implementation  and  evaluation  of  health 
plan  programs  that  may  require  the  use  of  protected  health  information,  such  as  medical 
intervention,  high-risk  employee  identification  programs,  and  educational  programs  intended 
for  a  particular  population  of  employees.  All  of  these  activities  are  important  to  the  delivery 
of  quality  health  care. 


1.  )  (A)  Comment  about  the  lack  of  specificity  of  the  '"minimum  necessary  standard.'* 

We  believe  the  definition  of  "minimum  necessary  standard"  in  the  proposed  rule  could  place 
undue  limits  on  insurer's  ability  to  promote  the  delivery  of  high  quahty  care.  The  definition's 
vagueness  will  almost  certainly  have  a  chilling  effect  on  efforts  to  reduce  medical  errors,  for 
example.  The  "minimum  necessary"  standard  severely  reduces  an  organization's  flexibility  to 
review  and  release  protected  health  information.  Health  plans  and  insurers  will  not  be  able 
to  determine  quickly  and  efficiently  if  medical  errors  or  inappropriate  care  have  occurred  and 
how  to  prevent  them  from  reoccurring. 

In  addition,  because  of  the  difficultly  inherent  in  applying  the  "minimum  necessary"  standard, 
the  Secretary's  proposed  rules  could  stifle  innovation  in  the  development  of  health  care 
services  to  improve  quality.  One  example  of  such  an  innovation  is  the  creation  of  integrated 
health  and  disabihty  programs.  Many  employers,  as  well  as  health  and  disability  insurers, 
have  begtm  to  focus  on  the  close  linkage  between  employee  health  and  workforce 
productivity.  They  have  begun  to  design  coordinated  or  integrated  health  and  disability 
programs  that  support  the  total  health  of  the  employee.  These  programs  are  ones  in  which 
benefits  are  purchased  by  a  customer  on  a  coordinated  or  integrated  basis  and  which  benefit 
employees  by  focusing  on  the  individual's  overall  health  and  wellness  needs.  The  proposed 
regulations  would  stifle  innovations,  such  as  this  one,  because  the  protected  health 
information  needed  to  build  such  programs  under  these  regulations  could  not  be  used  by  a 
health  plan  for  this  purpose.  Uses  are  limited  to  those  purposes  enumerated  in  the  regulations, 
and  the  amount  of  PHI  ultimately  used  is  limited  to  the  minimum  necessary  to  achieve  the 
stated  purpose  at  the  time  of  the  use. 

HIAA  believes  strongly  that  the  Secretary  should  revise  the  "minimum  necessary"  standard  to 
permit  uses  or  disclosures  of  protected  health  information  within  a  single  company  or  within 
an  integrated  or  coordinated  health  and  disability  program  for  health  management  and 
disability  management  purposes. 

2.  )  (B)  Comment  about  whether  or  not  medical  information  should  be  disclosed  among 
licensed  health  care  professionals  for  treatment  purposes  only. 

We  do  not  believe  that  disclosure  of  medical  information  should  be  limited  to  health  care 
professionals  for  treatment  purposes  only.  In  fact,  we  agree  with  the  following  statement  on 
page  59919  of  the  November  3,  1999  Federal  Register  from  the  preamble  to  the  proposed 
rules  for  confidentiaUty. 

"The  maintenance  and  exchange  of  individually  identifiable  health  information  is  an 
integral  component  of  the  delivery  of  quality  health  care.  In  order  to  receive  accurate 
and  reliable  diagnosis  and  treaunent,  patients  must  provide  health  care  professionals 
with  accurate,  detailed  information  about  their  personal  health,  behavior,  and  other 
aspects  of  their  lives.  Health  care  providers,  health  plans  and  health  care 
clearinghouses  also  rely  on  the  provision  of  such  information  to  accurately  and 
promptly  process  claims  for  payment  and  for  other  administrative  functions  that 
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directly  affect  a  patient's  ability  to  receive  needed  care,  the  quality  of  that  care  and  the 
efficiency  with  which  it  is  delivered." 

We  believe  that  the  quality  of  health  care  delivered  in  the  U.S.  would  be  seriously  and 
adversely  affected  if  limits  were  placed  on  disclosure  of  medical  information  so  that  only 
licensed  health  care  professionals  could  have  it  for  treatment  purposes. 


SENATE  COMMITTEE  ON  HEALTH,  EDUCATION,  LABOR,  AND  PENSIONS 

HEARING  ON 
PROPOSED  RULE  ON  THE  PRIVACY  OF 
INDIVIDUALLY  IDENTIFIABLE  HEALTH  INFORMATION 
"  '  '  APRIL  26, 2000 

WRITTEN  QUESTIONS  FOR  THE  RECORD 
FROM  SENATOR  PAUL  D.  WELLSTONE 


Responses  from  Dr.  E.  Greg  Koski,  Massachusetts  General  Hospital 

1.       The  proposed  regulations  completely  eliminate  the  fundamental  concept  of  informed 
consent,  by  eliminating  the  patient's  need  to  consent  to  disclosure  of  information  for 
treatment,  payment,  and  health  care  operations,  as  well  as  for  specific  purposes 
related  to  "key  national  health  care  priorities.''  It  may  be  true  that  the  present 
consent  forms  are  pro  forma,  but  eliminating  informed  consent  prior  to  disclosure  of 
highly  personal  health  information  will  only  further  undermine  patient  confidence. 

A.       What  specific  proposals  do  you  have  to  bolster  patient  confidence  in  the  appropriate  use  of 
their  health  information  and  thereby  prevent  patients'  either  withholding 
information  or  lying  and  thereby  jeopardizing  their  own  care  as  well  as  the 
accuracy  of  research  and  public  health  information? 

Response: 

The  assertion  that  the  regulations  completely  eliminate  the  fundamental  concept  of 
informed  consent  is  greatly  overstated.  There  is  ample  justification  for  allowing  the 
use  of  personally  identifiable  information  for  the  purposes  for  which  it  is  collected: 
treatment,  payment  and  health  care  operations  are  among  these  justifiable  uses  thai 
should  not  require  informed  consent.  It  is  the  disclosure  to  third  parties  of  personal 
health  information  for  unintended  uses,  such  as  marketing,  that  Americans  find 
egregious,  and  such  disclosures  should  require  informed  consent.  Unauthorized 
disclosure  should  be  punishable  by  law,  and  the  penalties  should  fit  the  crime. 
Fortunately,  breaches  of  confidentiality  rarely  occur  in  the  research  setting  because 
protections  for  individuals  are  already  in  place  and  being  strengthened.  The  right  to 
individual  legal  recourse  should  not  be  hindered.  Those  who  receive  and  use  private 
health  information  must  acknowledge  and fulfill  their  responsibilities.  Those  who  do 
not  are  the  root  of  the  current  crises  of  confidence,  and  it  is  there  that  we  must  focus 
our  attention. 


A.      From  the  perspective  of  the  entity  you  represent  and  your  area  of  expertise,  if  informed, 
voluntary,  and  non-coerced  patient  consent  before  the  use  and  disclosure  of  medical 
records  were  required,  how  would  you  recommend  implementing  such  a  rule? 

Response: 
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Every  patient  who  seeks  care  at  our  institution  is  fully  informed  how  their  information 
will  be  used,  and  what  policies  and  procedures  are  in  place  to  protect  their  rights. 
Health  institutions  cannot  be  asked  to  provide  care  if  they  are  denied  access  to  and  use 
of  information  that  is  essential  to  conducting  their  operation  responsibly.  Accordingly, 
patients  should  be  informed  and  given  the  opportunity  to  seek  care  elsewhere  if  they  so 
choose.  The  goal  of  our  regulations  and  laws  should  focus  on  the  use  of  information 
by  those  who  are  authorized  to  receive  it  for  the  purposes  for  which  it  was  intended. 
Consent  at  the  point  of  entry  is  feasible  in  most  instances,  but  with  appropriate 
penalties  for  misuse  and  unauthorized  disclosure,  such  consent  may  not  be  essential. 

1.  The  proposed  rule  sets  an  important  standard  that  only  the  "minimum  amount  of 
protected  information  necessary"  for  a  given  use  may  be  disclosed.  However,  the 
proposed  rule  does  not  specify  what  the  minimum  is  in  various  circumstances. 

A.       Do  you  think  this  lack  of  specificity  is  a  problem?  Why  or  why  not? 

Response: 

In  my  opinion,  it  is  undesirable  to  make  a  regulation  too  specific.  By  citing 
appropriate  examples,  most  cases  can  be  clarified,  but  in  the  event  of  alleged  misuse, 
the  burden  of justification  should  fall  upon  those  who  use  and  disclose  information. 


A.       Would  you  recommend  that  all  medical  information  be  disclosed  among  licensed  health 
care  professionals  for  treatment  purposes  only?  Why  or  why  not? 

Response: 

In  an  ideal  world,  complete  disclosure  of  health  information  among  healthcare 
professionals  for  treatment  purpose  would  almost  certainly  improve  the  quality  of  care. 
And,  of  course,  withholding  information  will  unavoidably  lead  to  misdiagnoses  and 
sub-optimal  treatment.  In  the  present  climate,  where  breaches  of  confidentiality  do 
occur,  complete  disclosure  between  doctor  and  patient  is  unlikely,  and  complete 
disclosure  among  caregivers  is  impossible.  Thus,  I  would  advocate  an  intermediate 
position  at  present;  when  a  patient  provides  information  if  they  express  a  desire  that 
certain  information  not  be  ^closed,  then  every  reasonable  and  practicable  effort  to 
honor  that  request  should  be  made.  However,  a  physician  should  not  be  held  liable  for 
use  andJor  disclosure  of  information  that  is  genuinely  intended  to  improve  the  health 
and  well-being  of  a  patient,  and  no  physician  should  be  held  liable  for  misdiagnosis  or 
treatment  of  a  patient  condition  when  information  essential  to  proper  management  has 
been  withheld  at  the  patient's  request. 

The  following  are  answers  to  questions  Sen.  Paul  Wellstone  (D-MN)  posed  to  Ms. 
Kathy  Farmer  subsequent  to  the  April  26  Senate  HELP  Conunittee  hearing  on  medical 
privacy.  Ms.  Farmer  testified  at  the  hearing  on  behalf  of  the  Washington  Business 
Group  on  Health.  Please  contact  Ticia  Gerber.  Manager  of  Public  Policy  at  the 
Washington  Business  Group  on  Health,  if  you  have  any  further  questions. 

Answer  to  Question  #1  (Introduction)  -  Before  addressing  the  issue  of  increased 
consumer  confidence,  WBGH  must  first  disagree  with  Sen.  Wellstone's  viewpoint  that 
the  Department  of  Health  and  Human  Services  (HHS)  proposed  privacy  rule  "eliminates 
the  fundamental  concept  of  informed  consenL"  Complete  informed  consent  to  use 
individually  identifiable  health  information  does  not  exist  in  today's  medical  care 
system,  nor  has  HHS  prescribed  its  implementation  in  their  proposed  privacy 
regulations. 

In  an  ideal  world,  consumers  would  have  absolute  rights  -  but  this  is  not  possible  in  our 
society.  HHS  has  properly  determined  that  it  is  not  possible  when  executing  the 
proposed  privacy  rules  either.  Complete  informed  consent  is  not  part  of  HHS'  proposed 
privacy  rule  because  the  rule  rightly  balances  consumers'  desire  to  protect  their 
individually  identifiable  health  data  with  the  legitimate  need  of  entities  that  use  such 
data  to  enhance  the  quality  of  care,  health,  and  well-being  of  health  care  consumers. 
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Answer  to  Question  #  1(A)  -  WBGH  believes  that  the  statutory  authorization  process  laid 
out  in  HHS'  proposed  privacy  rule  ~  coupled  with  impropriate  notice,  access,  and 
amendment  provisions  as  well  as  adequate  safeguards  and  penalties  ~  is  the  proper 
strategy  to  "bolster  patient  confidence  in  the  appropriate  use  of  their  information."  It  is 
important  to  note  that  WBGH.  in  particular,  has  a  long  history  of  promoting  consumer 
awareness  within  an  optimally  organized  system  of  care.  Other  than  actively  promoting 
an  increased  awareness  of  how  employers  utilize  their  workers'  sensitive  health 
information  and  the  benefits  that  result  from  these  uses,  WBGH  believes  HHS'  proposed 
privacy  rule  offers  a  sufficient  number  of  new  protections  to  address  consumer  concern 
about  data  misuse.  Such  concern  is  unwarranted  in  many  cases.  As  Ms.  Farmer 
emphasized  in  the  April  26  hearing,  very  few  instances  of  employer  health  information 
abuses  have  been  reported.  Also,  many  of  the  scenarios  that  people  fear,  such  as  the 
misuse  of  health  information  like  HTV  status  and  mental  health  treatment  records  in  job 
hiring,  firing,  and  promotion  decisions,  are  already  prohibited  and  punishable  under  the 
Americans  with  Disabilities  Act. 

Under  HHS'  proposed  privacy  rule's  authorization,  access,  and  penalty  structure, 
consumers'  confidence  would  flourish.  In  this  system,  consumers  would:  (1)  know  for 
what  purposes  their  individually  identifiable  health  data  are  being  used;  (2)  be  assured 
that  data  use  is  being  monitored  by  a  privacy  officer  and  that  individually  identifiable 
health  data  is  being  handled  by  trained  individuals;  (3)  be  confident  that  data  misuse 
would  be  punished;  and  (4)  be  required  to  specifically  authorize  the  use  of  individually 
identifiable  health  data  for  purposes  other  than  treatment,  payment,  and  health  care 
operations.  Broad  or  blanket  authorizations  for  projects  outside  of  this  realm  are 
expressively  prohibited  and  all  misuses  of  data  by  an  employer  or  business  partner  acting 
as  a  health  plan  or  provider  would  be  subject  to  significant  civil  and  criminal  penalties. 
Although  some  employers  offer  these  protections  today,  none  are  currently  required  to 
do  so  by  law.  The  proposed  privacy  rule  has  significant  structural  shortcomings  due 
largely  to  the  limited  rulemaking  authority  granted  to  HHS  in  the  Health  Insurance 
Portability  and  Accountability  Act.  However,  WBGH  asserts  that  the  rule's  consumer 
protections  are  adequate. 

Answer  to  Question  #1(B)  -  WBGH  believes  that  requiring  an  informed,  written,  non- 
coerced  and  voluntary  authorization  before  any  medical  records  information  is  used  and 
disclosed  would  be  extremely  impractical.  Such  a  legislative  mandate  might  lead  to  the 
very  scenario  Sen.  Wellstone  wants  to  avoid  -  undermining  the  confidence  of  health 
care  consumers.  Why?  Ms.  Farmer  stressed  at  the  April  26  HELP  Committee  hearing 
that,  based  on  past  large  employer  experience,  authorizations  that  require  a  worker's 
signature  before  some  type  of  health  information  can  be  released  typically  gamer  a  low 
response  rate  even  after  two  or  three  notifications  -  only  20-30%  of  the  targeted 
population  responds.  Therefore,  even  in  the  least  onerous  written  authorization  scenario 
where  permission  is  required  from  an  individual  to  use  their  identifiable  health 
information  for  treatment,  payment,  and  health  care  operations,  only  about  20-  30%  of 
workers  would  actually  send  in  their  authorization  to  use  data  for  such  purposes,  even 
after  repeated  mailings.  In  the  experience  of  large  employers,  the  low  response  rate  is 
most  often  not  due  to  workers'  unwillingness  to  grant  permission  to  use  data.  Instead,  it 
can  be  traced  to  workers  disregarding  the  authorization  mailing  or  not  remembering  to 
send  the  authorization  back  in  to  the  employer. 

For  those  workers  who  failed  to  send  in  their  data  use  authorization,  essential  health  care 
services  could  not  be  delivered  because  their  individually  identifiable  health  information 
could  not  be  used  for  the  purposes  of  treatment,  payment,  and  health  care  operations. 
Workers  would  feel  they  were  being  deprived  of  their  health  care  rights  ~  a  consumer 
backlash  could  result.  We  therefore  strongly  support  a  sututory  authorization  approach. 

If  forced  to  comply  with  a  written  authorization  privacy  provision  (as  opposed  to  a 
statutory  authorization),  language  would  have  to  be  added  to  HHS'  proposed  privacy  rule 
or  confidentiality  legislation.  The  new  language  would  need  to  allow  an  employer  or 
other  health  data-using  entity  to  utilize  an  individual's  identifiable  health  information  for 
treatment,  payment,  and  health  care  operations  if  an  authorization  had  not  been  received 
subsequent  to  two  or  three  authorizati(Hi  mailings.  Employers  discussed  such  a  "deemed 
authorization"  approach  with  HELP  Committee  Chairman  Jim  Jeffords  when  the 
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Chairman's  mark  of  the  medical  privacy  bill  was  being  actively  discussed  last  year.  If 
this  approach  is  not  adopted,  the  efficient  delivery  of  health  care  would  be  jeopardized 
and  the  consumer  would  suffer  adverse  consequences. 

Answer  to  Question  #2(A)  -  As  stated  in  Ms.  Farmer's  April  26  testimony,  WBGH 
appreciates  the  flexibility  that  an  employer  acting  as  a  health  plan  or  health  care  provider 
receives  when  determining  the  minimum  necessary  threshold.  We  also  believe,  though, 

that  the  minimum  necessary  requirement  in  HHS'  proposed  privacy  bill  is  quite  stringent 
and  would  likely  impede  operation  of  both  routine  and  more  innovative  workplace 
health-related  programs. 

However,  if  the  minimum  necessary  requirement  remains  in  the  proposed  privacy  rule, 
then  the  lack  of  definitional  specificity  is  not  a  problem.  The  definition  offers  a  detailed 
explanation  of  what  minimum  necessary  means  in  the  context  of  both  electronic  and 
non-electronic  individually  identifiable  health  data  and  allows  flexibility  in  these 
minimum  necessary  determinations  based  on  an  organization's  size,  sophistication,  and 
technical  limitations. 

Answer  #2  (B)  -  WBGH  would  endorse  a  scenario  in  which  medical  treatment  would  be 
disclosed  among  licensed  professionals  for  treatment  purposes,  but  this  cannot  be  the 
only  use  of  individually  identifiable  health  information  executed  without  an  explicit 
authorization.  For  the  reasons  listed  above  and  in  our  written  testimony,  we  support  a 
statutory  authorization  for  treatment,  payment,  and  health  care  operations  and  would 
hope  that  these  definitions  encompass  disability  management  activities  and  health  and 
productivity  management  projects.  Workplace  health  initiatives  involve  many  more 
participants  than  health  care  professionals. 

Conclusion:  Rather  than  contemplating  legislation  that  simply  fills  in  the  gaps  left  open 
by  HHS'  proposed  privacy  rules,  WBGH  continues  to  urge  Sen.  Wellstone  and  other 
members  of  Congress  to  work  towards  a  comprehensive  medical  confidentiality  solution 
that  can  help  both  consumers  and  employers  achieve  their  goals. 

Responses  to  Questions  from  Senator  Wellstone  -  Dr.  Joanna  Horobin 
representing  the  Biotechnology  Industry  Organization 


1 ,       (A)  BIO  has  supported  legislation  to  prohibit  discrimination  based  on  genetic 
information.  Specifically,  worked  effectively  in  1996  to  secure  enactment  of  an 
amendment  to  the  Health  Insurance  Portability  and  Accessibility  Act  that  provides 
important  protections  against  discrimination  by  health  insurance  companies  based  on 
"genetic  information"  about  the  individual.  The  protections  against  discrimination 
based  on  "genetic  information"  were  not  included  in  original  House  or  Senate  version 
of  the  legislation.  The  bills  provided  protections  against  discrimination  based  on 
"pre-existing  conditions,"  but  this  was  defined  as  a  condition  for  which  there  had 
been  a  diagnosis  and  treatment.  Adding  "genetic  discrimination"  means  that 
individuals  who  take  a  predictive  genetic  test  to  determine  if  they  will  or  are  likely  to 
manifest  symptoms  of  a  genetic-based  disease  are  also  protected.  In  fact,  they  have 
greater  protections  than  individuals  with  pre-existing  conditions  (not  being  subjected 
to  a  waiting  period  for  health  benefits  coverage).  Legislation  is  pending  to  extend 
these  protections  to  the  individual  insurance  market. 

Moreover,  it  is  BIO's  view  that  some  of  the  legislative  proposals  such  as  HR  2470 
the  "Medical  Information  Protection  and  Research  Enhancement  Act  of  1999"  and 
the  Chairman's  mark  from  last  year's  debate  in  the  Senate  Health  Education  Labor 
and  Pensions  Committee  will  protect  patient  confidentiality. 

(B)  In  general.  Institutional  Review  Boards  (IRBs)  should  be  responsible  for 
ensuring  that  patients  provide  informed  consent  in  research.  Moreover,  informed 
consent  is  apprx5priate  for  the  use  and  disclosure  of  individually  identifiable 
information.  As  I  pointed  out  in  my  testimony,  however,  research  performed  by 
biotechnology  companies  is  done  with  "de-identified  data".  It  would  be  virtually 
impossible  to  identify  a  research  subject  with  the  information  a  company  uses. 
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2.       (A)  Yes.  BIO  is  concerned  that  "covered  entities"  will  be  unsure  whether 
they  are  complying  with  this  requirement  in  the  rule.  In  addition,  sanctions  for 
violating  the  rule  (civil  and  criminal  sanctions)  are  severe.  The  result  will  be  that 
entities  will  be  unwilling  to  share  data  with  medical  researchers.  This  could  slow  or 
stop  vital  research  projects. 

(B)  No  Medical  information  should  be  shared  with  researchers.  As  noted  in 
mv  testimony,  proper  safeguards  should  be  in  place  to  protect  ^onfif^^^ijy: 
Xev'rde'v el^p  Hfe-saving  dmgs  and  treatments,  U  ,s  cnt.cal  that  medical 
researchers  have  access  to  medical  mformaUon. 


Staff  Contacts 

Janlori  Goldman,  Director 
Angela  Choy,  Field  Director 


Health  Privacy  Project 
2233  Wisconsin  Avenue  NW 
Suite  525 

Washington  DC  20007 
Tel:  202-687-0880 
Fax:  202-687-3110 
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Steering  Committee 


Susannah  Baruch  and  Joanne  Hustead 
National  Pai-nership  for  Women  &  Families 

Sara  Collins 

National  Multiple  Sclerosis  Society 
Jeff  Crowley 

Consortium  for  Citizens  with  Disabilities 
Health  Privacy  Working  Group  and 
National  Association  of  People  with  AIDS 


Mary  Davidson 

Alliance  of  Genetic  Support  Groups 

Bill  Decker 
AARP-PPl 

Chris  Koyanagi 

Bazelon  Center  for  Mental  Health 

Stephanie  Reed 

American  Nurses  Association 


Mission  and  Statement  of  Principles 

The  mission  of  the  Consumer  Coalition  for  Health  Privacy  is  to  educate  and  empower  healthcare 
consvuners  to  have  a  prominent  and  informed  voice  on  health  privacy  issues  at  the  federal,  state, 
and  local  levels.  Members  of  the  coalition  are  committed  to  the  development  and  enactment  of 
public  policies  and  private  standards  that  guarantee  the  confidentiality  of  personal  health 
information  and  promote  both  access  to  high  quality  care  and  the  continued  viability  of  medical 
research.  In  order  to  accomplish  these  goals,  health  privacy  policy  must  be  based  on  the 
following  principles: 
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Right  to  Privacy 

An  individual's  right  to  privacy  with  respect  to  individually  identifiable  health  information, 
including  geneticlnformation,  should  be  established  statutorily.  Individuals  should  retain  the 
ultimate  right  to  decide  to  whom,  and  under  what  circumstances,  their  individually  identifiable 
health  information  will  be  disclosed.  Confidentialit>'  protections  should  extend  not  only  to 
medical  records,  but  also  to  all  other  individually  identifiable  health  information,  including 
genetic  information,  clinical  research  records,  and  mental  health  therapy  notes.  Additional 
protections  may  be  necessary  for  highly  sensitive  information. 

Identifiable  Information 

Use  and  disclosure  of  individually  identifiable  health  information  should  be  limited.  Protections 
should  be  in  place  to  ensure  that  anonymized  data  is  used  whenever  possible. 

Access 

An  individual  should  have  the  right  to  access  his  or  her  ovm  health  information  and  the  right  to 
supplement  such  information.  Individuals  should  have  the  right  to  access  and  supplement  their 
own  medical  records  so  that  they  can  make  informed  health  care  decisions  and  can  correct 
erroneous  information  in  their  records. 

Notice 

Individuals  should  be  notified  about  how  their  medical  records  are  used  and  when  their 
individually  identifiable  health  information  is  disclosed  to  third  parties.  Individuals  should  be 
given  written,  easy-to-understand  notice  of  how  their  individually  identifiable  health 
information  will  be  used  and  by  whom.  With  such  notice  people  can  make  informed,  meaningful 
choices  about  uses  and  disclosures  of  their  health  information. 

Informed  Consent 

The  use  or  disclosure  of  individually  identifiable  health  information  absent  an  individual's 
informed  consent  should  be  prohibited.  Health  care  providers,  health  plans,  insurance  companies, 
employers  and  others  in  possession  of  individually  identifiable  health  information  should  be 
prohibited  firom  using  or  disclosing  such  information  unless  the  use  or  disclosure  is  authorized  by 
the  individual.  Use  or  disclosures  without  informed  consent  should  be  permitted  only  under 
exceptional  circumstances  ~  for  example,  if  a  person's  life  is  endangered,  if  there  is  a  threat  to 
the  public  health,  or  if  there  is  a  compelling  law  enforcement  need.  Disclosure  of  individually 
identifiable  health  information  for  marketing  or  commercial  purposes  should  never  be  permitted 
without  informed  consent.  Any  time  information  is  used  or  disclosed  it  should  be  limited  to  the 
minimum  amount  necessary  for  the  use  or  disclosure. 

Public  Health  and  Research 

While  protecting  individual  privacy  rights,  legislation  should  not  impede  important  public  health 
efforts  or  clinical,  medical  and  quality  of  care  research. 

Safeguards 

The  development  of  security  safeguards  for  the  use,  disclosure  and  storage  of  personal  health 
information  should  be  required.  Appropriate  safeguards  should  be  in  place  to  protect  individually 
identifiable  health  information  from  unauthorized  use  or  disclosure. 

Penalties 

Strong  and  enforceable  remedies  for  violations  of  privacy  protections  should  be  established. 
Remedies  should  include  a  private  right  of  action,  as  well  as  civil  penalties  and  criminal 
sanctions  where  appropriate.  Individuals  that  come  forward  to  report  violations  of  this  law  should 
be  protected  from  retaliation. 

Preemption 

Federal  legislation  should  provide  a  floor  for  the  protection  of  individual  privacy 
rights,  not  a  ceiling.  Like  all  other  federal  civil  rights  and  privacy  laws,  federal 
privacy  legislation  for  health  information  should  set  the  minimum  acceptable 
standard.  Federal  legislation  should  not  pre-empt  any  other  federal  or  state  law 
or  regulation  that  is  more  protective  of  an  individual's  right  to  privacy  of  or  access 
to  individually  identifiable  health  information. 
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Endorsing  Organizations  (In  formation) 


AIDS  Action 

AIDS  Alliance  for  Children,  Youth,  and  Families 
American  Association  for  Marriage  and  Family  Therapy 
American  Association  for  Retired  Persons 
American  Association  of  Occupational  Health  Nurses 
American  Counseling  Association 

American  Federation  of  State,  County,  and  Municipal  Employees 
American  Mental  Health  Counselors  Association 
American  Nurses  Association 

American  Pseudo-obstruction  and  Hirschsprung's  Disease  Society 
American  Psychiatric  Nurses  Association 
Americans  for  Democratic  Action 

Association  of  Women's  Health,  Obstetric  and  Neonatal  Nurses 
Bazelon  Center  for  Mental  Health  Law 
Call  for  Action 

Center  for  Reproductive  Law  and  Policy 
Center  for  Women  Policy  Studies 
• .     Children  and  Adults  with  Attention  Deficit/Hyperactivity  Disorder 
Committee  for  Children 
Consumer  Federation  of  America 
Easter  Seals 

Epilepsy  Foundation,  National  Office 

Genetic  Alliance 

International  Union,  UAW 

Legal  Action  Center 

Les  Turner  ALS  Foundation 

Myositis  Association  of  America 
I       National  Abortion  Federation 

National  Association  Mandating  Equitable  Databases  (the  NAMED) 

National  Association  of  Alcoholism  and  Drug  Abuse  Counselors 

National  Association  of  People  With  AIDS 
5.;T     National  Association  of  Social  Workers 
J,     National  Black  Women's  Health  Project 

National  Family  Planning  and  Reproductive  Health  Association 

National  Gay  and  Lesbian  Task  Force 

National  Health  Law  Program 

National  Latina/o  Lesbian,  Gay,  Bisexual  and  Transgender  Organization 

National  Mental  Health  Association 

National  Multiple  Sclerosis  Society 

National  Organization  for  Rare  Disorders 

National  Organization  for  Women 

National  Partnership  for  Women  &  Families 

National  Senior  Citizens  Law  Center 

Oncology  Nursing  Society 

Planned  Parenthood  Federation  of  America 

Service  Employees  International  Union 

Title  II  Community  AIDS  National  Network 

The  Chairman.  The  hearing  is  adjourned. 

[Whereupon,  at  12:20  p.m.,  the  committee  was  adjourned.] 
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